From: Nix <nix@esperi.org.uk>
Cc: users@spamassassin.apache.org, misc@list.smarden.org,
supervision@list.skarnet.org, mkettler@evi-inc.com
Subject: Re: a problem with linux 2.6.11 and sa
Date: Wed, 09 Mar 2005 13:06:11 +0000 [thread overview]
Message-ID: <871xap9dfg.fsf__45846.9520126984$1110373764$gmane$org@amaterasu.srvr.nix> (raw)
In-Reply-To: <20050308165814.GA1936@ixeon.local> (George Georgalis's message of "Tue, 8 Mar 2005 11:58:14 -0500")
On Tue, 8 Mar 2005, George Georgalis announced authoritatively:
> Here's what I'm doing that is broken. I use tcpserver (functionally
> similar to inetd) to receive an incoming smtp connection. While the
> smtp session is still open, the message is piped to a temp file which
> is then scanned for spam, if it passes the temp file is piped to my
Both of these sound like redirection, not piping.
>>(I don't see what you mean by `a pipe rom /proc/kmsg', though:
>>pipes connect processes, not files. File redirections are
>>quite different and should work unchanged in 2.6.11.)
>
> An interesting technique that allows a program (such as a log writer)
> to run as an unprivileged user, while receiving privileged data. (taken
> almost verbatim from Gerrit Pape's socklog)
>
> #!/bin/sh
> exec </proc/kmsg
> exec 2>&1
> exec softlimit -m 2000000 setuidgid nobody socklog ucspi
>
> This script, run by root takes its stdin from /proc/kmsg then combines
> its stdout and stderr, and exec-switches to the socklog program run
> as an ucspi application listening to the domain stream socket, as
> nobody:nogroup, with memory consumption limited to 2Mb. (and sends
> log to stdout)
This is definitely redirection, not piping. As far as I know the
implementation of redirection in the kernel remains unchanged: certainly
the need to buffer piped data doesn't exist in this case, and since the
redesign was of the buffering, this is probably not your problem :)
> It worked flawlessly until several kernel revs back when the kernel
> started protecting kmsg and wouldn't allow the user program to receive
> it,
Indeed.
> result: nothing sent to the logging program and no error. The fix
> was to run socklog as root instead of nobody.
You should be able to open it as root and read from it as another user:
i.e., your technique above shouldn't break. (I'd hope.)
--
> ...Hires Root Beer...
What we need these days is a stable, fast, anti-aliased root beer
with dynamic shading. Not that you can let just anybody have root.
--- John M. Ford
next prev parent reply other threads:[~2005-03-09 13:06 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20050303214023.GD1251@ixeon.local>
[not found] ` <6.2.1.2.0.20050303165334.038f32a0@192.168.50.2>
[not found] ` <20050303224616.GA1428@ixeon.local>
[not found] ` <871xaqb6o0.fsf@amaterasu.srvr.nix>
2005-03-08 16:58 ` George Georgalis
2005-03-08 17:19 ` George Georgalis
2005-03-08 19:21 ` George Georgalis
2005-03-08 20:10 ` Andre Tomt
2005-03-09 13:06 ` Nix [this message]
[not found] ` <871xap9dfg.fsf@amaterasu.srvr.nix>
2005-03-09 15:29 ` George Georgalis
2005-03-09 23:28 ` Paul Jarc
2005-03-10 0:30 ` Nix
2005-03-16 3:18 ` George Georgalis
2005-03-16 22:37 ` Paul Jarc
2005-03-17 2:03 ` George Georgalis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='871xap9dfg.fsf__45846.9520126984$1110373764$gmane$org@amaterasu.srvr.nix' \
--to=nix@esperi.org.uk \
--cc=misc@list.smarden.org \
--cc=mkettler@evi-inc.com \
--cc=supervision@list.skarnet.org \
--cc=users@spamassassin.apache.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).