Re: a problem with linux 2.6.11 and sa

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

From: Nix <nix@esperi.org.uk>
Cc: users@spamassassin.apache.org, misc@list.smarden.org,
	supervision@list.skarnet.org, mkettler@evi-inc.com
Subject: Re: a problem with linux 2.6.11 and sa
Date: Wed, 09 Mar 2005 13:06:11 +0000	[thread overview]
Message-ID: <871xap9dfg.fsf__45846.9520126984$1110373764$gmane$org@amaterasu.srvr.nix> (raw)
In-Reply-To: <20050308165814.GA1936@ixeon.local> (George Georgalis's message of "Tue, 8 Mar 2005 11:58:14 -0500")

On Tue, 8 Mar 2005, George Georgalis announced authoritatively:
> Here's what I'm doing that is broken. I use tcpserver (functionally
> similar to inetd) to receive an incoming smtp connection. While the
> smtp session is still open, the message is piped to a temp file which
> is then scanned for spam, if it passes the temp file is piped to my

Both of these sound like redirection, not piping.

>>(I don't see what you mean by `a pipe rom /proc/kmsg', though:
>>pipes connect processes, not files. File redirections are
>>quite different and should work unchanged in 2.6.11.)
> 
> An interesting technique that allows a program (such as a log writer)
> to run as an unprivileged user, while receiving privileged data. (taken
> almost verbatim from Gerrit Pape's socklog)
> 
> #!/bin/sh
> exec </proc/kmsg
> exec 2>&1
> exec softlimit -m 2000000 setuidgid nobody socklog ucspi
> 
> This script, run by root takes its stdin from /proc/kmsg then combines
> its stdout and stderr, and exec-switches to the socklog program run
> as an ucspi application listening to the domain stream socket, as
> nobody:nogroup, with memory consumption limited to 2Mb. (and sends
> log to stdout)

This is definitely redirection, not piping. As far as I know the
implementation of redirection in the kernel remains unchanged: certainly
the need to buffer piped data doesn't exist in this case, and since the
redesign was of the buffering, this is probably not your problem :)

> It worked flawlessly until several kernel revs back when the kernel
> started protecting kmsg and wouldn't allow the user program to receive
> it,

Indeed.

>       result: nothing sent to the logging program and no error. The fix
> was to run socklog as root instead of nobody.

You should be able to open it as root and read from it as another user:
i.e., your technique above shouldn't break. (I'd hope.)

-- 
> ...Hires Root Beer...
What we need these days is a stable, fast, anti-aliased root beer
with dynamic shading. Not that you can let just anybody have root.
 --- John M. Ford

next prev parent reply	other threads:[~2005-03-09 13:06 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20050303214023.GD1251@ixeon.local>
     [not found] ` <6.2.1.2.0.20050303165334.038f32a0@192.168.50.2>
     [not found]   ` <20050303224616.GA1428@ixeon.local>
     [not found]     ` <871xaqb6o0.fsf@amaterasu.srvr.nix>
2005-03-08 16:58       ` George Georgalis
2005-03-08 17:19         ` George Georgalis
2005-03-08 19:21           ` George Georgalis
2005-03-08 20:10             ` Andre Tomt
2005-03-09 13:06         ` Nix [this message]
     [not found]         ` <871xap9dfg.fsf@amaterasu.srvr.nix>
2005-03-09 15:29           ` George Georgalis
2005-03-09 23:28             ` Paul Jarc
2005-03-10  0:30               ` Nix
2005-03-16  3:18               ` George Georgalis
2005-03-16 22:37                 ` Paul Jarc
2005-03-17  2:03                   ` George Georgalis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='871xap9dfg.fsf__45846.9520126984$1110373764$gmane$org@amaterasu.srvr.nix' \
    --to=nix@esperi.org.uk \
    --cc=misc@list.smarden.org \
    --cc=mkettler@evi-inc.com \
    --cc=supervision@list.skarnet.org \
    --cc=users@spamassassin.apache.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).