Re: a problem with linux 2.6.11 and sa

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

From: "George Georgalis" <george@galis.org>
Cc: linux-kernel@vger.kernel.org, users@spamassassin.apache.org,
	misc@list.smarden.org, supervision@list.skarnet.org,
	mkettler@evi-inc.com
Subject: Re: a problem with linux 2.6.11 and sa
Date: Wed, 9 Mar 2005 10:29:59 -0500	[thread overview]
Message-ID: <20050309152958.GB4042@ixeon.local> (raw)
In-Reply-To: <871xap9dfg.fsf@amaterasu.srvr.nix>

On Wed, Mar 09, 2005 at 01:06:11PM +0000, Nix wrote:

>> An interesting technique that allows a program (such as a log writer)
>> to run as an unprivileged user, while receiving privileged data. (taken
>> almost verbatim from Gerrit Pape's socklog)
>> 
>> #!/bin/sh
>> exec </proc/kmsg
>> exec 2>&1
>> exec softlimit -m 2000000 setuidgid nobody socklog ucspi
>> 
>> This script, run by root takes its stdin from /proc/kmsg then combines
>> its stdout and stderr, and exec-switches to the socklog program run
>> as an ucspi application listening to the domain stream socket, as
>> nobody:nogroup, with memory consumption limited to 2Mb. (and sends
>> log to stdout)
>
>This is definitely redirection, not piping. As far as I know the
>implementation of redirection in the kernel remains unchanged: certainly
>the need to buffer piped data doesn't exist in this case, and since the
>redesign was of the buffering, this is probably not your problem :)
>
>> It worked flawlessly until several kernel revs back when the kernel
>> started protecting kmsg and wouldn't allow the user program to receive
>> it,
>
>Indeed.
>
>>       result: nothing sent to the logging program and no error. The fix
>> was to run socklog as root instead of nobody.
>
>You should be able to open it as root and read from it as another user:
>i.e., your technique above shouldn't break. (I'd hope.)

Here is a nice proof that kmsg did become a problem around 2.6.0
http://article.gmane.org/gmane.comp.misc.pape.general/595
http://thread.gmane.org/gmane.comp.misc.pape.general/590


It (Gerrit Pape's technique) very defiantly stopped working a few revs
back (2.6.7?). I'm seeing a similar failed read from /dev/rtc and
mplayer with 2.6.10, now too.

http://lkml.org/lkml/2005/3/8/226

while read file; do mplayer $file ; done <mediafiles.txt

Failed to open /dev/rtc: Permission denied

for file in `cat mediafiles.txt`; do mplayer $file ; done

works.

// George

-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george@galis.org

next prev parent reply	other threads:[~2005-03-09 15:29 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20050303214023.GD1251@ixeon.local>
     [not found] ` <6.2.1.2.0.20050303165334.038f32a0@192.168.50.2>
     [not found]   ` <20050303224616.GA1428@ixeon.local>
     [not found]     ` <871xaqb6o0.fsf@amaterasu.srvr.nix>
2005-03-08 16:58       ` George Georgalis
2005-03-08 17:19         ` George Georgalis
2005-03-08 19:21           ` George Georgalis
2005-03-08 20:10             ` Andre Tomt
2005-03-09 13:06         ` Nix
     [not found]         ` <871xap9dfg.fsf@amaterasu.srvr.nix>
2005-03-09 15:29           ` George Georgalis [this message]
2005-03-09 23:28             ` Paul Jarc
2005-03-10  0:30               ` Nix
2005-03-16  3:18               ` George Georgalis
2005-03-16 22:37                 ` Paul Jarc
2005-03-17  2:03                   ` George Georgalis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050309152958.GB4042@ixeon.local \
    --to=george@galis.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=misc@list.smarden.org \
    --cc=mkettler@evi-inc.com \
    --cc=supervision@list.skarnet.org \
    --cc=users@spamassassin.apache.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).