Re: s6-log can create current with 640?

[Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>]

Laurent, I've embedded responses:

On 24/10/2019 10:58 am, Laurent Bercot wrote:
>> My initial attempt
>>
>> #!/usr/local/bin/execlineb -P
>> s6-setuidgid uucp
>> redirfd -r 0 /services/ntp/fifo
>> umask 037
>> /usr/local/bin/s6-log -b n14 r7000 s100000 S3000000 !"/usr/bin/xz -7q"
>> /var/log/ntpd
> 
>  Hi Dewayne,
> 
>  - Is there a reason why you're using a manually created fifo instead
> of the built-in logging facility offered by s6-svscan? You could tell
> ntpd to log to /dev/stdout, and have the logger in a ntpd/log service
> directory, and your logs would automatically be available on your
> logger's stdin.
> 
That's really testing my memory! I recall using the producer/consumer
pair; as well as s6-trig-notify and s6-ftrig-listen. But at the end of
the day, processes like apache have multiple log files, and in my case 5
access log files and one error log.  So either I use one aggregated log
(input) with multiple regex expressions in an s6-log statement (which I
was advised against doing) or multiple
s6-log for each input, which I chose.

In addition the log content need to traverse different VM contexts,
where I usually use lo0; but in this case, a nullfs and fifo was the
better choice per some early benchmarks (via the wrk tool).

Re: ntp and its log file?  Yes within a single machine context, one
process writes to stdout and another takes that as input for s6-log to
handle, makes sense (and easy).  However the "logger" will relocate to a
separate VM, when unrelated problems with an ASLR enabled ntpd are
fixed.  Again a nullfs and fifo are sufficient - one VM writes to the
fifo, a different user in a different VM reads & processes the log via
s6-log.

Aside: If someone isn't familiar with FreeBSD, it can be hard to get a
handle on FreeBSD jails, its a bit more than a simple chroot.  I think
its reasonable to consider them as very lightweight VMs.  Each can have
separate security levels, shared memory; multiple network interfaces and
IP addresses etc; all sharing the one kernel.  The only con, is that the
first IP address is treated as routable and localhost points to it.


>  - About umask: that's very strange. Can you strace, or ktrace, or
> whatever tool gives you a list of system calls, the script? It will
> show exactly what's going on.
> 

Apologies for the delay. Needed to rebuild the kernel to enable ktrace.

Results for umask
rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask
037 echo hello' ; echo $? ; ls -l /tmp/t1
0
-rw-r-----  1 root  wheel  0 25 Oct 18:33 /tmp/t1

rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'redirfd -w 1 /tmp/t1 umask
023 echo hello' ; echo $? ; ls -l /tmp/t1
0
-rw-r-----  1 root  wheel  0 25 Oct 18:36 /tmp/t1

I've placed the ktrace's dumpfile in txt format so its readable for you at
http://www.heuristicsystems.com/s6-umask/t1.kdump

The OS umask is 027.

I also tried what I thought was the more logical
# rm -f /tmp/t1 ; /usr/local/bin/execlineb -Pc 'umask 033 redirfd -w 1
/tmp/t1 echo hello' ; echo $? ; ls -l /tmp/t1
0
ls: /tmp/t1: No such file or directory

This ktrace is
http://www.heuristicsystems.com/s6-umask/t1-umask-redirfd.kdump

I think the relevant lines are
   276 sh       CALL  umask(0)
   276 sh       RET   umask 23/0x17
   276 sh       CALL  umask(027<S_IWGRP|S_IROTH|S_IWOTH|S_IXOTH>)
   276 sh       RET   umask 0
   276 sh       CALL  umask(033<S_IWGRP|S_IXGRP|S_IWOTH|S_IXOTH>)
   276 sh       RET   umask 23/0x17
   276 sh       CALL  read(0xa,0x104c9d0,0x400)

Platform details:
# uname -pivKU; cc -v ; ld -v
FreeBSD 12.1-STABLE #5 r353671M: Fri Oct 25 09:12:32 AEDT 2019  amd64
hqdev-amd64-smp-vga 1201500 1201500
FreeBSD clang version 8.0.1 (tags/RELEASE_801/final 366581) (based on
LLVM 8.0.1)
Target: x86_64-unknown-freebsd12.1
Thread model: posix
InstalledDir: /usr/bin
LLD 8.0.1 (FreeBSD 366581-1200008) (compatible with GNU linkers)

If there is anything I can do to assist please let me know.  (Though I
havent worked in C since 1990...)

Kind regards, Dewayne