MonitorWare Knowledge Base

Hello there

I was wondering if it is possible to get rsyslog to run as a different user, for instance rsyslog ... or to get it to write files to be owned by someone other than root. OR with other default permissions than 600

Cheers

Chakkerz

erm ... found (just too late)

http://www.rsyslog.com/doc-rsconf1_filecreatemode.html

That doesn't get around the running not as root though

You should also look at $FileOwner, $FileGroup and the respective $Dir.. directives.

As for a different user, this is not yet implemented. It also currently has no priority, as I was told this is no longer an issue in the days of selinux. I personally have no hard opinion on it, just following general demand...

Rainer

erm .. yes ... SE Linux does get around the issue, that is true.

And (far from being an SE Linux expert, though i have completed the Red Hat training / certification on that one [alas i don't get to use it enough to become an expert]) i have to say that when a system can get itself into a tight enough knot where the setroubleshoot service can not start because selinux is blocking it, and when it does start it craters anyway. Or when relabelling all files at start up, or using restorecon or fixfiles yields files that are in the same directory and rotates of the same log file, created by the same *syslog daemon i feel that 1) i need to re-read my course notes, and 2) there are still some issues to be resolved.

That said, it worked extremely well during the course ... lord knows i may have screwed something else up.

Also, i don't think that anyone in their right mind, even after running in permissive mode without errors truly expects that they can turn on selinux and not have errors. SE Linux is great ... but it's far from flawless. And the tools to support it are also far from flawless. And the Documentation that ships with the distros ... is somewhat lacking.

... but you know what the hilarious aspect of this is? I disabled selinux yesterday because it kept resulting in crashing my multipathd service. Fingers crossed i find some time monday to sort out the selinux issue so i can re-enable it But darn do i want to use SElinux ... it would be nice to put that training to use

chakkerz

Yeah... I am not a SE Linux expert at all. I see that there is some usefulness in natively supporting running under non-root. But there are tons of other features waiting for implementation. So it becomes a matter of priorities. Priorities depend on what is often asked for.

For example: I am currently working on a real secure TLS mode, what will (probably) be followed by a real secure and real reliable TLS mode for RELP. Should I stop implementing TLS to do the user thing? Maybe... But practice tells me many have asked for TLS and so far one for the user. So guess what...

(This may also be viewed as a call to action for all those who would like see a "not root" capability in rsyslog - obviously priorities are dynamic ).

I am using rsyslog for centralized logging for a couple of servers and I was also looking for this feature.

The reason is not wanting to have software that is exposed on a public IP to be running as root. I do not know SE Linux at all - currently I'm using an ugly hack to have rsyslog be started as a separate "rsyslog" user with su. Since non-root users can't listen on ports under 1024, I have it listening on 1514 (both tcp and udp) with iptables rules to forward data from 514 to 1514 (again, both tcp and udp).

It's not so nice and requires custom setup, but it works. Support for dropping permissions, like Apache, would be very welcome of course .