Mailing List Archive

Hi Thomas,

can it be that your default umask gets into your way? In any case, you
can set the permissions explicitely with

$FileCreateMode
$FileGroup
$FileOwner

And set the umask with

$umask

(see http://www.rsyslog.com/doc-rsyslog_conf_global.html)

Does this help?

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> Sent: Friday, March 06, 2009 10:18 AM
> To: rsyslog-users
> Subject: [rsyslog] wrong permissons on directories
>
> Hi *,
>
> when creating directories through dynamic templates, the directory
> permissons are incomplete:
>
> rsyslog.conf:
> $template
>
ZeusMwAllLogFileService,"/data/log/zeusmw/%$YEAR%-%$MONTH%/all-%$YEAR%-
> %$MONTH%-%$DAY%.log"
>
> resulting directories:
> ls -al /data/log
> drw-r--r-- 3 root root 4096 Mar 5 15:53 zeusmw/
>
> ls -al /data/log/zeusmw
> drw-r--r-- 2 root root 4096 Mar 6 10:11 2009-03/
>
> # rsyslogd -version
> rsyslogd 3.21.3, compiled with:
> FEATURE_REGEXP: Yes
> FEATURE_LARGEFILE: Yes
> FEATURE_NETZIP (message compression): Yes
> GSSAPI Kerberos 5 support: Yes
> FEATURE_DEBUG (debug build, slow code): No
> Runtime Instrumentation (slow code): No
>
> (its the rsyslog-3.21.3-4 fedora 10 package compiled on rhel5)
>
> I'd be happy to know if thats a bug.
>
> Thanks
> Thomas
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Thanks for the pointer to the documentation.. it is $DirCreateMode what
I asked for...

and now I ask for a change of the default
documentation says:
Default: 0644

Reality demands 0755. I changed it in my configuration. I'd be happy to
see that changed in rsyslog.

Thomas



Rainer Gerhards wrote:
> Hi Thomas,
>
> can it be that your default umask gets into your way? In any case, you
> can set the permissions explicitely with
>
> $FileCreateMode
> $FileGroup
> $FileOwner
>
> And set the umask with
>
> $umask
>
> (see http://www.rsyslog.com/doc-rsyslog_conf_global.html)
>
> Does this help?
>
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
>> Sent: Friday, March 06, 2009 10:18 AM
>> To: rsyslog-users
>> Subject: [rsyslog] wrong permissons on directories
>>
>> Hi *,
>>
>> when creating directories through dynamic templates, the directory
>> permissons are incomplete:
>>
>> rsyslog.conf:
>> $template
>>
> ZeusMwAllLogFileService,"/data/log/zeusmw/%$YEAR%-%$MONTH%/all-%$YEAR%-
>> %$MONTH%-%$DAY%.log"
>>
>> resulting directories:
>> ls -al /data/log
>> drw-r--r-- 3 root root 4096 Mar 5 15:53 zeusmw/
>>
>> ls -al /data/log/zeusmw
>> drw-r--r-- 2 root root 4096 Mar 6 10:11 2009-03/
>>
>> # rsyslogd -version
>> rsyslogd 3.21.3, compiled with:
>> FEATURE_REGEXP: Yes
>> FEATURE_LARGEFILE: Yes
>> FEATURE_NETZIP (message compression): Yes
>> GSSAPI Kerberos 5 support: Yes
>> FEATURE_DEBUG (debug build, slow code): No
>> Runtime Instrumentation (slow code): No
>>
>> (its the rsyslog-3.21.3-4 fedora 10 package compiled on rhel5)
>>
>> I'd be happy to know if thats a bug.
>>
>> Thanks
>> Thomas
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com

--
Thomas Mieslinger
IT Infrastructure Systems
Telefon: +49-721-91374-4404
E-Mail: thomas.mieslinger@1und1.de

1&1 Internet AG
Brauerstraße 48
76135 Karlsruhe

Amtsgericht Montabaur HRB 6484
Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas
Gottschlich, Robert Hoffmann, Markus Huhn, Henning Kettler, Oliver
Mauss, Jan Oetjen
Aufsichtsratsvorsitzender: Michael Scheeren

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Thomas,

do I correctly understand that you propose the default be changed?

If so, I am hesitant to do that - wouldn't that potentially break existing deployments? On the other hand... how could that work... Umm...

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> Sent: Friday, March 06, 2009 3:14 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] wrong permissons on directories
>
> Thanks for the pointer to the documentation.. it is $DirCreateMode what
> I asked for...
>
> and now I ask for a change of the default
> documentation says:
> Default: 0644
>
> Reality demands 0755. I changed it in my configuration. I'd be happy to
> see that changed in rsyslog.
>
> Thomas
>
>
>
> Rainer Gerhards wrote:
> > Hi Thomas,
> >
> > can it be that your default umask gets into your way? In any case,
> you
> > can set the permissions explicitely with
> >
> > $FileCreateMode
> > $FileGroup
> > $FileOwner
> >
> > And set the umask with
> >
> > $umask
> >
> > (see http://www.rsyslog.com/doc-rsyslog_conf_global.html)
> >
> > Does this help?
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> >> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> >> Sent: Friday, March 06, 2009 10:18 AM
> >> To: rsyslog-users
> >> Subject: [rsyslog] wrong permissons on directories
> >>
> >> Hi *,
> >>
> >> when creating directories through dynamic templates, the directory
> >> permissons are incomplete:
> >>
> >> rsyslog.conf:
> >> $template
> >>
> > ZeusMwAllLogFileService,"/data/log/zeusmw/%$YEAR%-%$MONTH%/all-
> %$YEAR%-
> >> %$MONTH%-%$DAY%.log"
> >>
> >> resulting directories:
> >> ls -al /data/log
> >> drw-r--r-- 3 root root 4096 Mar 5 15:53 zeusmw/
> >>
> >> ls -al /data/log/zeusmw
> >> drw-r--r-- 2 root root 4096 Mar 6 10:11 2009-03/
> >>
> >> # rsyslogd -version
> >> rsyslogd 3.21.3, compiled with:
> >> FEATURE_REGEXP: Yes
> >> FEATURE_LARGEFILE: Yes
> >> FEATURE_NETZIP (message compression): Yes
> >> GSSAPI Kerberos 5 support: Yes
> >> FEATURE_DEBUG (debug build, slow code): No
> >> Runtime Instrumentation (slow code): No
> >>
> >> (its the rsyslog-3.21.3-4 fedora 10 package compiled on rhel5)
> >>
> >> I'd be happy to know if thats a bug.
> >>
> >> Thanks
> >> Thomas
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
>
> --
> Thomas Mieslinger
> IT Infrastructure Systems
> Telefon: +49-721-91374-4404
> E-Mail: thomas.mieslinger@1und1.de
>
> 1&1 Internet AG
> Brauerstraße 48
> 76135 Karlsruhe
>
> Amtsgericht Montabaur HRB 6484
> Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas
> Gottschlich, Robert Hoffmann, Markus Huhn, Henning Kettler, Oliver
> Mauss, Jan Oetjen
> Aufsichtsratsvorsitzender: Michael Scheeren
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

FWIW, the Debian default rsyslog.conf ships with

$DirCreateMode 0755


2009/3/6 Rainer Gerhards <rgerhards@hq.adiscon.com>:
> Thomas,
>
> do I correctly understand that you propose the default be changed?
>
> If so, I am hesitant to do that - wouldn't that potentially break existing deployments? On the other hand... how could that work... Umm...
>
> Rainer
>
>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
>> Sent: Friday, March 06, 2009 3:14 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] wrong permissons on directories
>>
>> Thanks for the pointer to the documentation.. it is $DirCreateMode what
>> I asked for...
>>
>> and now I ask for a change of the default
>> documentation says:
>> Default: 0644
>>
>> Reality demands 0755. I changed it in my configuration. I'd be happy to
>> see that changed in rsyslog.
>>
>> Thomas
>>
>>
>>
>> Rainer Gerhards wrote:
>> > Hi Thomas,
>> >
>> > can it be that your default umask gets into your way? In any case,
>> you
>> > can set the permissions explicitely with
>> >
>> > $FileCreateMode
>> > $FileGroup
>> > $FileOwner
>> >
>> > And set the umask with
>> >
>> > $umask
>> >
>> > (see http://www.rsyslog.com/doc-rsyslog_conf_global.html)
>> >
>> > Does this help?
>> >
>> > Rainer
>> >
>> >> -----Original Message-----
>> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> >> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
>> >> Sent: Friday, March 06, 2009 10:18 AM
>> >> To: rsyslog-users
>> >> Subject: [rsyslog] wrong permissons on directories
>> >>
>> >> Hi *,
>> >>
>> >> when creating directories through dynamic templates, the directory
>> >> permissons are incomplete:
>> >>
>> >> rsyslog.conf:
>> >> $template
>> >>
>> > ZeusMwAllLogFileService,"/data/log/zeusmw/%$YEAR%-%$MONTH%/all-
>> %$YEAR%-
>> >> %$MONTH%-%$DAY%.log"
>> >>
>> >> resulting directories:
>> >> ls -al /data/log
>> >> drw-r--r-- 3 root root 4096 Mar  5 15:53 zeusmw/
>> >>
>> >> ls -al /data/log/zeusmw
>> >> drw-r--r-- 2 root root 4096 Mar  6 10:11 2009-03/
>> >>
>> >> # rsyslogd -version
>> >> rsyslogd 3.21.3, compiled with:
>> >>    FEATURE_REGEXP:                         Yes
>> >>    FEATURE_LARGEFILE:                      Yes
>> >>    FEATURE_NETZIP (message compression):   Yes
>> >>    GSSAPI Kerberos 5 support:              Yes
>> >>    FEATURE_DEBUG (debug build, slow code): No
>> >>    Runtime Instrumentation (slow code):    No
>> >>
>> >> (its the rsyslog-3.21.3-4 fedora 10 package compiled on rhel5)
>> >>
>> >> I'd be happy to know if thats a bug.
>> >>
>> >> Thanks
>> >> Thomas
>> >>
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com
>> > _______________________________________________
>> > rsyslog mailing list
>> > http://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com
>>
>> --
>> Thomas Mieslinger
>> IT Infrastructure Systems
>> Telefon: +49-721-91374-4404
>> E-Mail: thomas.mieslinger@1und1.de
>>
>> 1&1 Internet AG
>> Brauerstraße 48
>> 76135 Karlsruhe
>>
>> Amtsgericht Montabaur HRB 6484
>> Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas
>> Gottschlich, Robert Hoffmann, Markus Huhn, Henning Kettler, Oliver
>> Mauss, Jan Oetjen
>> Aufsichtsratsvorsitzender: Michael Scheeren
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>



--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

I guess nobody did let rsyslog make directories.

Rainer Gerhards wrote:
> Thomas,
>
> do I correctly understand that you propose the default be changed?

Yepp.

> If so, I am hesitant to do that - wouldn't that potentially break existing deployments?

hmm Maybe I haven't seen enough yet, but I can't imagine a deployment
built on directory permissions 644....

> On the other hand... how could that work... Umm...

They are all working as root out there :-)

I think it would be good if you just double check it yourself that the
directories get created with 644 and decicde on your findings.

Thomas
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

The more I think about it, the more it smells like a real bug. Has anyone objections changing the default?

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Michael Biebl
> Sent: Friday, March 06, 2009 3:54 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] wrong permissons on directories
>
> FWIW, the Debian default rsyslog.conf ships with
>
> $DirCreateMode 0755
>
>
> 2009/3/6 Rainer Gerhards <rgerhards@hq.adiscon.com>:
> > Thomas,
> >
> > do I correctly understand that you propose the default be changed?
> >
> > If so, I am hesitant to do that - wouldn't that potentially break
> existing deployments? On the other hand... how could that work...
> Umm...
> >
> > Rainer
> >
> >> -----Original Message-----
> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> >> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> >> Sent: Friday, March 06, 2009 3:14 PM
> >> To: rsyslog-users
> >> Subject: Re: [rsyslog] wrong permissons on directories
> >>
> >> Thanks for the pointer to the documentation.. it is $DirCreateMode
> what
> >> I asked for...
> >>
> >> and now I ask for a change of the default
> >> documentation says:
> >> Default: 0644
> >>
> >> Reality demands 0755. I changed it in my configuration. I'd be happy
> to
> >> see that changed in rsyslog.
> >>
> >> Thomas
> >>
> >>
> >>
> >> Rainer Gerhards wrote:
> >> > Hi Thomas,
> >> >
> >> > can it be that your default umask gets into your way? In any case,
> >> you
> >> > can set the permissions explicitely with
> >> >
> >> > $FileCreateMode
> >> > $FileGroup
> >> > $FileOwner
> >> >
> >> > And set the umask with
> >> >
> >> > $umask
> >> >
> >> > (see http://www.rsyslog.com/doc-rsyslog_conf_global.html)
> >> >
> >> > Does this help?
> >> >
> >> > Rainer
> >> >
> >> >> -----Original Message-----
> >> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> >> >> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> >> >> Sent: Friday, March 06, 2009 10:18 AM
> >> >> To: rsyslog-users
> >> >> Subject: [rsyslog] wrong permissons on directories
> >> >>
> >> >> Hi *,
> >> >>
> >> >> when creating directories through dynamic templates, the
> directory
> >> >> permissons are incomplete:
> >> >>
> >> >> rsyslog.conf:
> >> >> $template
> >> >>
> >> > ZeusMwAllLogFileService,"/data/log/zeusmw/%$YEAR%-%$MONTH%/all-
> >> %$YEAR%-
> >> >> %$MONTH%-%$DAY%.log"
> >> >>
> >> >> resulting directories:
> >> >> ls -al /data/log
> >> >> drw-r--r-- 3 root root 4096 Mar  5 15:53 zeusmw/
> >> >>
> >> >> ls -al /data/log/zeusmw
> >> >> drw-r--r-- 2 root root 4096 Mar  6 10:11 2009-03/
> >> >>
> >> >> # rsyslogd -version
> >> >> rsyslogd 3.21.3, compiled with:
> >> >>    FEATURE_REGEXP:                         Yes
> >> >>    FEATURE_LARGEFILE:                      Yes
> >> >>    FEATURE_NETZIP (message compression):   Yes
> >> >>    GSSAPI Kerberos 5 support:              Yes
> >> >>    FEATURE_DEBUG (debug build, slow code): No
> >> >>    Runtime Instrumentation (slow code):    No
> >> >>
> >> >> (its the rsyslog-3.21.3-4 fedora 10 package compiled on rhel5)
> >> >>
> >> >> I'd be happy to know if thats a bug.
> >> >>
> >> >> Thanks
> >> >> Thomas
> >> >>
> >> >> _______________________________________________
> >> >> rsyslog mailing list
> >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> http://www.rsyslog.com
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com
> >>
> >> --
> >> Thomas Mieslinger
> >> IT Infrastructure Systems
> >> Telefon: +49-721-91374-4404
> >> E-Mail: thomas.mieslinger@1und1.de
> >>
> >> 1&1 Internet AG
> >> Brauerstraße 48
> >> 76135 Karlsruhe
> >>
> >> Amtsgericht Montabaur HRB 6484
> >> Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas
> >> Gottschlich, Robert Hoffmann, Markus Huhn, Henning Kettler, Oliver
> >> Mauss, Jan Oetjen
> >> Aufsichtsratsvorsitzender: Michael Scheeren
> >>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
>
>
>
> --
> Why is it that all of the instruments seeking intelligent life in the
> universe are pointed away from Earth?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

On Fri, Mar 6, 2009 at 08:40, Rainer Gerhards <rgerhards@hq.adiscon.com> wrote:
> The more I think about it, the more it smells like a real bug. Has anyone objections changing the default?

None. It is unrealistic (and generally unusable) to have UNIX
directory permissions without the execute bit (S_IX*). The only
reason to do it would be to have an 'archive' directory of sorts, in
which users may see names of children, but none of their permissions
or contents.

As has been noted, the only reason it's worked thus far is that most
people either change the default or run the daemon as root, for whom
those permissions aren't really a limiting factor.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

I guess the "root issue" is more a probably cause. I know that lot's of
folks use rsyslog to create dirs. Will probably change the default, but
in the beta first.

Thanks for bringing this up.

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> Sent: Friday, March 06, 2009 4:18 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] wrong permissons on directories
>
> I guess nobody did let rsyslog make directories.
>
> Rainer Gerhards wrote:
> > Thomas,
> >
> > do I correctly understand that you propose the default be changed?
>
> Yepp.
>
> > If so, I am hesitant to do that - wouldn't that potentially break
> existing deployments?
>
> hmm Maybe I haven't seen enough yet, but I can't imagine a deployment
> built on directory permissions 644....
>
> > On the other hand... how could that work... Umm...
>
> They are all working as root out there :-)
>
> I think it would be good if you just double check it yourself that the
> directories get created with 644 and decicde on your findings.
>
> Thomas
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

I am back at this issue and thought about changing the default down to
v2-stable. However, it "feels" bad from a security perspective. I know that
the current default does not work well, but it is extremely restrictive. So
if I now change it to a "useful" default, I may expose some information on
old systems that is not yet exposed. One could argue this is a security hole.
I am very hesitant to doing this, so I thought I ask for feedback once again.

The alternative way would be that only v4 (if running in v4-mode!) will have
the new (correct) default, while all others have the old, wrong and thus
extremely restrictive default. Quite honestly, it "feels" like this is the
right route to take, even though "the other way around" sounds more natural.

Has anyone an opinion on that? And I'll probably go for the v4-only change if
nobody convinces me that there is no security risk...

Thanks,
Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of Rainer Gerhards
> Sent: Friday, March 06, 2009 4:40 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] wrong permissons on directories
>
> The more I think about it, the more it smells like a real bug. Has
> anyone objections changing the default?
>
> Rainer
>
> > -----Original Message-----
> > From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > bounces@lists.adiscon.com] On Behalf Of Michael Biebl
> > Sent: Friday, March 06, 2009 3:54 PM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] wrong permissons on directories
> >
> > FWIW, the Debian default rsyslog.conf ships with
> >
> > $DirCreateMode 0755
> >
> >
> > 2009/3/6 Rainer Gerhards <rgerhards@hq.adiscon.com>:
> > > Thomas,
> > >
> > > do I correctly understand that you propose the default be changed?
> > >
> > > If so, I am hesitant to do that - wouldn't that potentially break
> > existing deployments? On the other hand... how could that work...
> > Umm...
> > >
> > > Rainer
> > >
> > >> -----Original Message-----
> > >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > >> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> > >> Sent: Friday, March 06, 2009 3:14 PM
> > >> To: rsyslog-users
> > >> Subject: Re: [rsyslog] wrong permissons on directories
> > >>
> > >> Thanks for the pointer to the documentation.. it is $DirCreateMode
> > what
> > >> I asked for...
> > >>
> > >> and now I ask for a change of the default
> > >> documentation says:
> > >> Default: 0644
> > >>
> > >> Reality demands 0755. I changed it in my configuration. I'd be
> happy
> > to
> > >> see that changed in rsyslog.
> > >>
> > >> Thomas
> > >>
> > >>
> > >>
> > >> Rainer Gerhards wrote:
> > >> > Hi Thomas,
> > >> >
> > >> > can it be that your default umask gets into your way? In any
> case,
> > >> you
> > >> > can set the permissions explicitely with
> > >> >
> > >> > $FileCreateMode
> > >> > $FileGroup
> > >> > $FileOwner
> > >> >
> > >> > And set the umask with
> > >> >
> > >> > $umask
> > >> >
> > >> > (see http://www.rsyslog.com/doc-rsyslog_conf_global.html)
> > >> >
> > >> > Does this help?
> > >> >
> > >> > Rainer
> > >> >
> > >> >> -----Original Message-----
> > >> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> > >> >> bounces@lists.adiscon.com] On Behalf Of Thomas Mieslinger
> > >> >> Sent: Friday, March 06, 2009 10:18 AM
> > >> >> To: rsyslog-users
> > >> >> Subject: [rsyslog] wrong permissons on directories
> > >> >>
> > >> >> Hi *,
> > >> >>
> > >> >> when creating directories through dynamic templates, the
> > directory
> > >> >> permissons are incomplete:
> > >> >>
> > >> >> rsyslog.conf:
> > >> >> $template
> > >> >>
> > >> > ZeusMwAllLogFileService,"/data/log/zeusmw/%$YEAR%-%$MONTH%/all-
> > >> %$YEAR%-
> > >> >> %$MONTH%-%$DAY%.log"
> > >> >>
> > >> >> resulting directories:
> > >> >> ls -al /data/log
> > >> >> drw-r--r-- 3 root root 4096 Mar  5 15:53 zeusmw/
> > >> >>
> > >> >> ls -al /data/log/zeusmw
> > >> >> drw-r--r-- 2 root root 4096 Mar  6 10:11 2009-03/
> > >> >>
> > >> >> # rsyslogd -version
> > >> >> rsyslogd 3.21.3, compiled with:
> > >> >>    FEATURE_REGEXP:                         Yes
> > >> >>    FEATURE_LARGEFILE:                      Yes
> > >> >>    FEATURE_NETZIP (message compression):   Yes
> > >> >>    GSSAPI Kerberos 5 support:              Yes
> > >> >>    FEATURE_DEBUG (debug build, slow code): No
> > >> >>    Runtime Instrumentation (slow code):    No
> > >> >>
> > >> >> (its the rsyslog-3.21.3-4 fedora 10 package compiled on rhel5)
> > >> >>
> > >> >> I'd be happy to know if thats a bug.
> > >> >>
> > >> >> Thanks
> > >> >> Thomas
> > >> >>
> > >> >> _______________________________________________
> > >> >> rsyslog mailing list
> > >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> >> http://www.rsyslog.com
> > >> > _______________________________________________
> > >> > rsyslog mailing list
> > >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> > http://www.rsyslog.com
> > >>
> > >> --
> > >> Thomas Mieslinger
> > >> IT Infrastructure Systems
> > >> Telefon: +49-721-91374-4404
> > >> E-Mail: thomas.mieslinger@1und1.de
> > >>
> > >> 1&1 Internet AG
> > >> Brauerstraße 48
> > >> 76135 Karlsruhe
> > >>
> > >> Amtsgericht Montabaur HRB 6484
> > >> Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich,
> Thomas
> > >> Gottschlich, Robert Hoffmann, Markus Huhn, Henning Kettler, Oliver
> > >> Mauss, Jan Oetjen
> > >> Aufsichtsratsvorsitzender: Michael Scheeren
> > >>
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > >
> >
> >
> >
> > --
> > Why is it that all of the instruments seeking intelligent life in the
> > universe are pointed away from Earth?
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

On Thu, Apr 9, 2009 at 02:58, Rainer Gerhards <rgerhards@hq.adiscon.com> wrote:
> the current default does not work well, but it is extremely restrictive. So

It's not that it doesn't work well, it honestly doesn't work at all.
A directory in UNIX without execute permissions is effectively
inaccessible to any non-root user, encouraging less-knowledgeable
admins to just run everything as root.

> Has anyone an opinion on that? And I'll probably go for the v4-only change if
> nobody convinces me that there is no security risk...

The only risk is that users originally granted permission to use a
directory may actually be allowed to do so. If a user's data is
sufficiently sensitive that such a change would unacceptably expose
it, my bet is that they have already changed the permissions to
something even more restrictive. I wouldn't suggest making the change
if it's the only one you need to make to v2, but if there are others
pending it would be a wise addition IMHO.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of RB
> Sent: Thursday, April 09, 2009 2:15 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] wrong permissons on directories
>
> On Thu, Apr 9, 2009 at 02:58, Rainer Gerhards <rgerhards@hq.adiscon.com>
> wrote:
> > the current default does not work well, but it is extremely
> restrictive. So
>
> It's not that it doesn't work well, it honestly doesn't work at all.

Well... that's the issue that I see. It works, as rsyslog usually runs as
root. Granted, nobody but root can read the directories, but this is exactly
what I meant with being restrictive. If we fix this issue, we permit access
to these directories and as such are more open than before. I wouldn't be
arguing so hard if it were not a potential security issue...

In other words: I am not yet fully convinced (even not after reading the rest
of your post ;)). But I am getting closer to being convinced ;)

Rainer

> A directory in UNIX without execute permissions is effectively
> inaccessible to any non-root user, encouraging less-knowledgeable
> admins to just run everything as root.
>
> > Has anyone an opinion on that? And I'll probably go for the v4-only
> change if
> > nobody convinces me that there is no security risk...
>
> The only risk is that users originally granted permission to use a
> directory may actually be allowed to do so. If a user's data is
> sufficiently sensitive that such a change would unacceptably expose
> it, my bet is that they have already changed the permissions to
> something even more restrictive. I wouldn't suggest making the change
> if it's the only one you need to make to v2, but if there are others
> pending it would be a wise addition IMHO.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

On Thu, Apr 9, 2009 at 06:19, Rainer Gerhards <rgerhards@hq.adiscon.com> wrote:
> In other words: I am not yet fully convinced (even not after reading the rest
> of your post ;)). But I am getting closer to being convinced ;)

:) I haven't any further arguments, so we may have to stop halfway.
As a security "professional" (whatever that ends up meaning) I tend to
prefer developers allow me to make that choice, but understand the
balance you have to make between that and helping your users make wise
(if erring on the side of cautious) decisions, particularly with
"legacy" software.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of RB
> Sent: Thursday, April 09, 2009 2:34 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] wrong permissons on directories
>
> On Thu, Apr 9, 2009 at 06:19, Rainer Gerhards <rgerhards@hq.adiscon.com>
> wrote:
> > In other words: I am not yet fully convinced (even not after reading
> the rest
> > of your post ;)). But I am getting closer to being convinced ;)
>
> :) I haven't any further arguments, so we may have to stop halfway.

Maybe some other folks cast their ballot - but it was probably not smart to
send this mail directly before easter ;)

> As a security "professional" (whatever that ends up meaning) I tend to
> prefer developers allow me to make that choice,

Actually, it is your choice. Let me explain, in case there is a
misunderstanding. You have full control over the directory permissions, via
the $DirCreateMode [1] directive. For example, Michael Biebl was so smart to
include a "$DirCreateMode 0755" in the standard Debian configuration, so it
almost is a no-issue there. What I am talking about is the default for this
setting, the case when nothing was specified by the user.

> but understand the
> balance you have to make between that and helping your users make wise

I am not talking about wise vs. unwise decisions. My concern is that in
current releases, the default is off, but it also means it is somewhat
strict. If I now change the default (which would be wise), it may result in
relaxed access control permissions. And as this affects users who so far did
not care at all about the permissions, those users may never know - that is
what triggers some "bad feelings" inside me.

As a side-note, I wonder if a default of 0700 might be even wiser than "755".
Who doesn't like that can override it. As the default is probably "pain in
the a..." for people, they would possibly begin thinking about that aspect
(but on the other hand I already envison all those smart web sites that tell
you just to use "$DirCreateMode 0777" to "fix the issue" - so this may even
be less useful than starting with 755 in the first place.

The more I think about it, this whole issue is much less about technical
defaults but more about human nature ;)

> (if erring on the side of cautious) decisions, particularly with
> "legacy" software.

I hope this clarifies,
Rainer
[1] http://www.rsyslog.com/doc-rsconf1_dircreatemode.html
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

2009/4/9 Rainer Gerhards <rgerhards@hq.adiscon.com>:
>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> bounces@lists.adiscon.com] On Behalf Of RB
>> Sent: Thursday, April 09, 2009 2:34 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] wrong permissons on directories
>>
>> On Thu, Apr 9, 2009 at 06:19, Rainer Gerhards <rgerhards@hq.adiscon.com>
>> wrote:
>> > In other words: I am not yet fully convinced (even not after reading
>> the rest
>> > of your post ;)). But I am getting closer to being convinced ;)
>>
>> :)  I haven't any further arguments, so we may have to stop halfway.
>
> Maybe some other folks cast their ballot - but it was probably not smart to
> send this mail directly before easter ;)

I'd vote for changing the default.
The current one is simply buggy, and as such I'd treat the fix as a bug.

I wouldn't wait for 4.x, but fix it in the upcoming 3.22.x series, I
wouldn't change 3.20.x

My 2¢,
Michael

--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

On Thu, 9 Apr 2009, Rainer Gerhards wrote:

>> -----Original Message-----
>> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
>> bounces@lists.adiscon.com] On Behalf Of RB
>>
>> On Thu, Apr 9, 2009 at 06:19, Rainer Gerhards <rgerhards@hq.adiscon.com>
>> wrote:
>>> In other words: I am not yet fully convinced (even not after reading
>> the rest
>>> of your post ;)). But I am getting closer to being convinced ;)
>>
>> :) I haven't any further arguments, so we may have to stop halfway.
>
> Maybe some other folks cast their ballot - but it was probably not smart to
> send this mail directly before easter ;)
>
>> As a security "professional" (whatever that ends up meaning) I tend to
>> prefer developers allow me to make that choice,
>
> Actually, it is your choice. Let me explain, in case there is a
> misunderstanding. You have full control over the directory permissions, via
> the $DirCreateMode [1] directive. For example, Michael Biebl was so smart to
> include a "$DirCreateMode 0755" in the standard Debian configuration, so it
> almost is a no-issue there. What I am talking about is the default for this
> setting, the case when nothing was specified by the user.
>
>> but understand the
>> balance you have to make between that and helping your users make wise
>
> I am not talking about wise vs. unwise decisions. My concern is that in
> current releases, the default is off, but it also means it is somewhat
> strict. If I now change the default (which would be wise), it may result in
> relaxed access control permissions. And as this affects users who so far did
> not care at all about the permissions, those users may never know - that is
> what triggers some "bad feelings" inside me.
>
> As a side-note, I wonder if a default of 0700 might be even wiser than "755".
> Who doesn't like that can override it. As the default is probably "pain in
> the a..." for people, they would possibly begin thinking about that aspect
> (but on the other hand I already envison all those smart web sites that tell
> you just to use "$DirCreateMode 0777" to "fix the issue" - so this may even
> be less useful than starting with 755 in the first place.

the current default doesn't work at all, so it's definantly wrong.

either 700 or 755 would be a better default. I can see arguments about
system logs not being intended to be read by everyone, so if you want to
run rsyslog as root having the default be 700 is reasonable.

David Lang

> The more I think about it, this whole issue is much less about technical
> defaults but more about human nature ;)
>
>> (if erring on the side of cautious) decisions, particularly with
>> "legacy" software.
>
> I hope this clarifies,
> Rainer
> [1] http://www.rsyslog.com/doc-rsconf1_dircreatemode.html
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Thanks to everyone who commented. I will now change the default to 700, which
should not expose anything more than we already had (and also is a better
default as I outlined). As we all have concluded that the previous default is
buggy, I'll change it wherever the problem is, that means I start with
v2-stable and will end up with a patch to all currently supported versions.
You'll see announcements soon...

Rainer

> -----Original Message-----
> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> bounces@lists.adiscon.com] On Behalf Of david@lang.hm
> Sent: Sunday, April 12, 2009 4:54 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] wrong permissons on directories
>
> On Thu, 9 Apr 2009, Rainer Gerhards wrote:
>
> >> -----Original Message-----
> >> From: rsyslog-bounces@lists.adiscon.com [mailto:rsyslog-
> >> bounces@lists.adiscon.com] On Behalf Of RB
> >>
> >> On Thu, Apr 9, 2009 at 06:19, Rainer Gerhards
> <rgerhards@hq.adiscon.com>
> >> wrote:
> >>> In other words: I am not yet fully convinced (even not after reading
> >> the rest
> >>> of your post ;)). But I am getting closer to being convinced ;)
> >>
> >> :) I haven't any further arguments, so we may have to stop halfway.
> >
> > Maybe some other folks cast their ballot - but it was probably not
> smart to
> > send this mail directly before easter ;)
> >
> >> As a security "professional" (whatever that ends up meaning) I tend
> to
> >> prefer developers allow me to make that choice,
> >
> > Actually, it is your choice. Let me explain, in case there is a
> > misunderstanding. You have full control over the directory
> permissions, via
> > the $DirCreateMode [1] directive. For example, Michael Biebl was so
> smart to
> > include a "$DirCreateMode 0755" in the standard Debian configuration,
> so it
> > almost is a no-issue there. What I am talking about is the default for
> this
> > setting, the case when nothing was specified by the user.
> >
> >> but understand the
> >> balance you have to make between that and helping your users make
> wise
> >
> > I am not talking about wise vs. unwise decisions. My concern is that
> in
> > current releases, the default is off, but it also means it is somewhat
> > strict. If I now change the default (which would be wise), it may
> result in
> > relaxed access control permissions. And as this affects users who so
> far did
> > not care at all about the permissions, those users may never know -
> that is
> > what triggers some "bad feelings" inside me.
> >
> > As a side-note, I wonder if a default of 0700 might be even wiser than
> "755".
> > Who doesn't like that can override it. As the default is probably
> "pain in
> > the a..." for people, they would possibly begin thinking about that
> aspect
> > (but on the other hand I already envison all those smart web sites
> that tell
> > you just to use "$DirCreateMode 0777" to "fix the issue" - so this may
> even
> > be less useful than starting with 755 in the first place.
>
> the current default doesn't work at all, so it's definantly wrong.
>
> either 700 or 755 would be a better default. I can see arguments about
> system logs not being intended to be read by everyone, so if you want to
> run rsyslog as root having the default be 700 is reasonable.
>
> David Lang
>
> > The more I think about it, this whole issue is much less about
> technical
> > defaults but more about human nature ;)
> >
> >> (if erring on the side of cautious) decisions, particularly with
> >> "legacy" software.
> >
> > I hope this clarifies,
> > Rainer
> > [1] http://www.rsyslog.com/doc-rsconf1_dircreatemode.html
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com