socklog: unix socket permissions

socklog: unix socket permissions

[Alex Efros]

Hi!

I want to execute socklog as usual user. I've created unix socket ~/log and
set permissions to 770. But socklog change these permissions to 777 every
time it (re)start. Is this a bug? Or how I can disable this cool feature? :-)

-- 
			WBR, Alex.

Re: socklog: unix socket permissions

[Brian Reichert]

On Sat, Jun 19, 2004 at 11:16:40PM +0300, Alex Efros wrote:
> Hi!
> 
> I want to execute socklog as usual user. I've created unix socket ~/log and
> set permissions to 770. But socklog change these permissions to 777 every
> time it (re)start. Is this a bug? Or how I can disable this cool feature? :-)

What was the umask of the socklog process?

> 
> -- 
> 			WBR, Alex.

-- 
Brian Reichert				<reichert@numachi.com>
37 Crystal Ave. #303			Daytime number: (603) 434-6842
Derry NH 03038-1713 USA			BSD admin/developer at large	

Re: socklog: unix socket permissions

[Alex Efros]

Hi!

On Sat, Jun 19, 2004 at 04:26:24PM -0400, Brian Reichert wrote:
> > I want to execute socklog as usual user. I've created unix socket ~/log and
> > set permissions to 770. But socklog change these permissions to 777 every
> > time it (re)start. Is this a bug? Or how I can disable this cool feature? :-)
> What was the umask of the socklog process?

0022

-- 
			WBR, Alex.

Re: socklog: unix socket permissions

[George Georgalis]

[-- Attachment #1: Type: text/plain, Size: 2362 bytes --]

On Sat, Jun 19, 2004 at 11:16:40PM +0300, Alex Efros wrote:
>
>I want to execute socklog as usual user. I've created unix socket ~/log and
>set permissions to 770. But socklog change these permissions to 777 every
>time it (re)start. Is this a bug? Or how I can disable this cool feature? :-)
>

This has stumped a few people... the answer is the 2.6 kernels don't
let you read /proc/kmsg accept as root, you can't even read a pipe of it
as another user, here's my example, it's based on Gerrit Pape's test
of different kernel versions

run:~ # echo "content" >/tmp/testfile
run:~ # chmod 400 /tmp/testfile
run:~ # (su -c cat nobody) </tmp/testfile
content
run:~ # (su -c cat nobody) </proc/kmsg
cat: -: Operation not permitted
run:~ # ls -l /tmp/testfile /proc/kmsg
-r--------    1 root     root            0 Dec  8 18:44 /proc/kmsg
-r--------    1 root     root            8 Dec  8 18:42 /tmp/testfile
run:~ # su - nobody
nobody@run:~$ cat /tmp/testfile
cat: /tmp/testfile: Permission denied

(note the different type of error messages)


On Fri, Jan 23, 2004 at 01:53:55PM +0000, Gerrit Pape wrote:
>
>Unfortunately the implementation of the proc filesystem in the 2.6.x
>linux kernels makes open() a noop, and checks permissions in read().  So
>the newer linux kernels force the application reading from /proc/kmsg to
>run under root privileges.
>
>See linux-2.6.1/fs/proc/kmsg.c and linux-2.6.1/kernel/printk.c, function
>do_syslog().


He also said 

From: Gerrit Pape <pape <at> smarden.org>
Subject: Re: Error running socklog Klog service
Newsgroups: gmane.comp.misc.pape.general
Date: Wed, 07 Apr 2004 12:30:10 +0000

On Tue, Apr 06, 2004 at 09:28:19PM -0400, George Georgalis wrote:
> >See linux-2.6.1/fs/proc/kmsg.c and linux-2.6.1/kernel/printk.c,
> >function do_syslog().

> Is there any doc on the implementation? I (still, 2.6.5) don't see
> mention in Documentation/ 

I'm afraid, no, I'm not aware of any documentation other than the
source code.

> Is it of any value?

The simplicity in implementation might be of value for the kernel
developers.




You can see most of the discussion I dug up in the attached gz mbox.

// George

-- 
George Georgalis, Architect and administrator, Linux services. IXOYE
http://galis.org/george/  cell:646-331-2027  mailto:george@galis.org
Key fingerprint = 5415 2738 61CF 6AE1 E9A7  9EF0 0186 503B 9831 1631

[-- Attachment #2: kmsg-problem.gz --]
[-- Type: application/octet-stream, Size: 4665 bytes --]

Re: socklog: unix socket permissions

[George Georgalis]

On Sat, Jun 19, 2004 at 11:16:40PM +0300, Alex Efros wrote:
>
>I want to execute socklog as usual user. I've created unix socket ~/log and
>set permissions to 770. But socklog change these permissions to 777 every
>time it (re)start. Is this a bug? Or how I can disable this cool feature? :-)
>

I don't think I read your message closely... :) but if you can get
socklog-klog/log/run to work as non root, I'll be very impressed!

// George


-- 
George Georgalis, Architect and administrator, Linux services. IXOYE
http://galis.org/george/  cell:646-331-2027  mailto:george@galis.org
Key fingerprint = 5415 2738 61CF 6AE1 E9A7  9EF0 0186 503B 9831 1631

Re: socklog: unix socket permissions

[Alex Efros]

Hi!

On Sat, Jun 19, 2004 at 07:41:17PM -0400, George Georgalis wrote:
> >I want to execute socklog as usual user. I've created unix socket ~/log and
> >set permissions to 770. But socklog change these permissions to 777 every
> >time it (re)start. Is this a bug? Or how I can disable this cool feature? :-)
> I don't think I read your message closely... :) but if you can get
> socklog-klog/log/run to work as non root, I'll be very impressed!

No, I don't run "klod" as non root, I run "syslog" as non root using ~/log
instead of /dev/log.

-- 
			WBR, Alex.

Re: socklog: unix socket permissions

[Gerrit Pape]

On Sat, Jun 19, 2004 at 11:16:40PM +0300, Alex Efros wrote:
> I want to execute socklog as usual user. I've created unix socket ~/log and
> set permissions to 770. But socklog change these permissions to 777 every
> time it (re)start. Is this a bug? Or how I can disable this cool feature? :-)

Yes, the socklog program does unlink("~/log"), umask(0), and then
re-creates the file through bind(), permissions change to 777.

I agree that this default behavior is not always the desired one; making
it configurable somehow shouldn't be that difficult.

Regards, Gerrit.

BTW, you're on the wrong list.