From: "George Georgalis" <george@galis.org>
Cc: linux-kernel@vger.kernel.org, users@spamassassin.apache.org,
misc@list.smarden.org, supervision@list.skarnet.org,
mkettler@evi-inc.com
Subject: Re: a problem with linux 2.6.11 and sa
Date: Wed, 9 Mar 2005 10:29:59 -0500 [thread overview]
Message-ID: <20050309152958.GB4042@ixeon.local> (raw)
In-Reply-To: <871xap9dfg.fsf@amaterasu.srvr.nix>
On Wed, Mar 09, 2005 at 01:06:11PM +0000, Nix wrote:
>> An interesting technique that allows a program (such as a log writer)
>> to run as an unprivileged user, while receiving privileged data. (taken
>> almost verbatim from Gerrit Pape's socklog)
>>
>> #!/bin/sh
>> exec </proc/kmsg
>> exec 2>&1
>> exec softlimit -m 2000000 setuidgid nobody socklog ucspi
>>
>> This script, run by root takes its stdin from /proc/kmsg then combines
>> its stdout and stderr, and exec-switches to the socklog program run
>> as an ucspi application listening to the domain stream socket, as
>> nobody:nogroup, with memory consumption limited to 2Mb. (and sends
>> log to stdout)
>
>This is definitely redirection, not piping. As far as I know the
>implementation of redirection in the kernel remains unchanged: certainly
>the need to buffer piped data doesn't exist in this case, and since the
>redesign was of the buffering, this is probably not your problem :)
>
>> It worked flawlessly until several kernel revs back when the kernel
>> started protecting kmsg and wouldn't allow the user program to receive
>> it,
>
>Indeed.
>
>> result: nothing sent to the logging program and no error. The fix
>> was to run socklog as root instead of nobody.
>
>You should be able to open it as root and read from it as another user:
>i.e., your technique above shouldn't break. (I'd hope.)
Here is a nice proof that kmsg did become a problem around 2.6.0
http://article.gmane.org/gmane.comp.misc.pape.general/595
http://thread.gmane.org/gmane.comp.misc.pape.general/590
It (Gerrit Pape's technique) very defiantly stopped working a few revs
back (2.6.7?). I'm seeing a similar failed read from /dev/rtc and
mplayer with 2.6.10, now too.
http://lkml.org/lkml/2005/3/8/226
while read file; do mplayer $file ; done <mediafiles.txt
Failed to open /dev/rtc: Permission denied
for file in `cat mediafiles.txt`; do mplayer $file ; done
works.
// George
--
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george@galis.org
next prev parent reply other threads:[~2005-03-09 15:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20050303214023.GD1251@ixeon.local>
[not found] ` <6.2.1.2.0.20050303165334.038f32a0@192.168.50.2>
[not found] ` <20050303224616.GA1428@ixeon.local>
[not found] ` <871xaqb6o0.fsf@amaterasu.srvr.nix>
2005-03-08 16:58 ` George Georgalis
2005-03-08 17:19 ` George Georgalis
2005-03-08 19:21 ` George Georgalis
2005-03-08 20:10 ` Andre Tomt
2005-03-09 13:06 ` Nix
[not found] ` <871xap9dfg.fsf@amaterasu.srvr.nix>
2005-03-09 15:29 ` George Georgalis [this message]
2005-03-09 23:28 ` Paul Jarc
2005-03-10 0:30 ` Nix
2005-03-16 3:18 ` George Georgalis
2005-03-16 22:37 ` Paul Jarc
2005-03-17 2:03 ` George Georgalis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050309152958.GB4042@ixeon.local \
--to=george@galis.org \
--cc=linux-kernel@vger.kernel.org \
--cc=misc@list.smarden.org \
--cc=mkettler@evi-inc.com \
--cc=supervision@list.skarnet.org \
--cc=users@spamassassin.apache.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).