Re: A better method than daisy-chaining logging files?

From: Joan Picanyol i Puig <lists-supervision_at_biaix.org>
Date: Tue, 18 Jun 2019 09:26:20 +0200

* Laurent Bercot <ska-supervision_at_skarnet.org> [20190618 08:22]:
> >FYI: The fifo queue permissions, which the jail sees
> >pr---w---- 1 mylogger www 0B May 31 13:27 apache24-error|
>
> Ah, so the www group is the one that writes to the fifo. Got it.
>
> Then you don't need mylogger to belong to the www group (and
> it's probably better for privilege separation that it doesn't),
> but you apparently need the logdir to belong to the primary group
> of the mylogger user. There is no reason for the logdir to belong
> to the www group.
>
> The error you got still strikes me as weird, and shouldn't happen
> unless you have strange permissions for the logdir itself, or
> FreeBSD is doing something wonky with gid checking.

He is nullfs mounting some of these directories, wonkyness might happen.

> For my peace of mind, I'd still like to see the permissions on your
> logdir, and a ktrace of the error.

* Dewayne Geraghty <dewayne.geraghty_at_heuristicsystems.com.au> [20190618 09:16]:
> On the logger, the files, as requested are:
>
> # ls -lrth /var/log/httpd | grep error ; ls -lrth /var/log/httpd/error
> drwx------ 2 mylogger www 512B Jun 18 15:06 error/
> total 44
> -rw-r--r-- 1 mylogger www 0B Jun 18 15:06 state
> -rw-r--r-- 1 mylogger www 0B Jun 18 15:06 lock
> -rw-r--r-- 1 mylogger www 41K Jun 18 16:04 current
[...]
> -rw-r--r-- 1 mylogger www 0B Jun 18 15:06 lock
> -rwxr--r-- 1 mylogger www 2.7K Jun 18 16:59 _at_400000005d088c11012cc9f4.s*
> -rw-r--r-- 1 mylogger www 0B Jun 18 17:03 state
> -rw-r--r-- 1 mylogger www 0B Jun 18 17:03 current
> -rwxr--r-- 1 mylogger www 64B Jun 18 17:03 _at_400000005d088cd6113d5a5c.s*
>
[...]
> # s6-svc -a /run/scan/apache24-error-log
> # lh /var/log/httpd | grep error ; lh
> /var/log/httpd/error
> drwx------ 2 mylogger www 512B Jun 18 17:05 error/
> total 4
> -rw-r--r-- 1 mylogger www 0B Jun 18 17:04 lock
> -rw-r--r-- 1 mylogger www 0B Jun 18 17:05 state
> -rwxr--r-- 1 mylogger www 304B Jun 18 17:05 processed*
> -rw-r--r-- 1 mylogger www 0B Jun 18 17:05 current

Include -a to your ls flags, to show the directory's permissions for
completeness.

> with the resulting
> s6-log: warning: unable to finish processed .s to logdir
> /var/log/httpd/error: Operation not permitted
>
> This is on a box that lacks development tools, so tracing will take some
> time to sort out; sorry. :/

Just add

ktrace -id -f /var/tmp/s6-log.trace

before your s6-log invocation and send the output of

kdump -f /var/tmp/s6-log.trace

afterwards.

qvb
--
pica
Received on Tue Jun 18 2019 - 07:26:20 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:19 UTC