Re: A better method than daisy-chaining logging files?

From: Dewayne Geraghty <dewayne.geraghty_at_heuristicsystems.com.au>
Date: Tue, 18 Jun 2019 17:27:06 +1000

Sure. I don't think the permissions are particularly weird? ;)

Remember we're effectively talking about two VM's one running apache and
the other being a log recipient, so priv's aren't a big deal in this
latter's context. On the logger, the files, as requested are:

# ls -lrth /var/log/httpd | grep error ; ls -lrth /var/log/httpd/error
drwx------ 2 mylogger www 512B Jun 18 15:06 error/
total 44
-rw-r--r-- 1 mylogger www 0B Jun 18 15:06 state
-rw-r--r-- 1 mylogger www 0B Jun 18 15:06 lock
-rw-r--r-- 1 mylogger www 41K Jun 18 16:04 current

When I send
s6-svc -a /run/scan/apache24-error-log
the processor does its job correctly.

And while the systems are all running, and simply remove mylogger from
the www group, then sending an alarm to the service works correctly.

-rw-r--r-- 1 mylogger www 0B Jun 18 15:06 lock
-rwxr--r-- 1 mylogger www 2.7K Jun 18 16:59 _at_400000005d088c11012cc9f4.s*
-rw-r--r-- 1 mylogger www 0B Jun 18 17:03 state
-rw-r--r-- 1 mylogger www 0B Jun 18 17:03 current
-rwxr--r-- 1 mylogger www 64B Jun 18 17:03 _at_400000005d088cd6113d5a5c.s*

However when I remove mylogger from the www group and restart (into a
relatively pristine test environment), it all works well but we return
to the original problem:

# s6-svc -a /run/scan/apache24-error-log
                             # lh /var/log/httpd | grep error ; lh
/var/log/httpd/error
drwx------ 2 mylogger www 512B Jun 18 17:05 error/
total 4
-rw-r--r-- 1 mylogger www 0B Jun 18 17:04 lock
-rw-r--r-- 1 mylogger www 0B Jun 18 17:05 state
-rwxr--r-- 1 mylogger www 304B Jun 18 17:05 processed*
-rw-r--r-- 1 mylogger www 0B Jun 18 17:05 current

with the resulting
s6-log: warning: unable to finish processed .s to logdir
/var/log/httpd/error: Operation not permitted

This is on a box that lacks development tools, so tracing will take some
time to sort out; sorry. :/

FreeBSD does have tweakable knobs to prevent seeing other uids or gids
which were enabled, but disabling made no difference (I thought we were
onto something for a minute there).
Cheers, Dewayne
Received on Tue Jun 18 2019 - 07:27:06 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:19 UTC