[Libwebsockets] logrotate puzzle

Andy Green andy at warmcat.com
Wed Apr 27 22:43:06 CEST 2016



On April 28, 2016 2:15:22 AM GMT+08:00, Jaco Kroon <jaco at uls.co.za> wrote:
>Hi Andy,
>
>On 26/04/2016 13:37, Andy Green wrote:
>
>>> If those are not possible the combination of copy and copytruncate
>is
>>> your best options, but not ideal. No need to perform any special
>actions
>>> inside the application, it just needs to initially open the log
>files
>>> for appending write.
>>
>> Yes that's the situation, he opens under root credentials with
>O_CREAT
>> and O_APPEND, then switches to weaker credentials.
>>
>> This stuff is surprisingly tricky... I think it's better to keep root
>> thoroughly dead after startup as it is now and put up with this very
>> small race for a few ms every week where we might lose logs that
>> happen in that window.
>>
>> I'll unpick my SIGHUP handler and see what happens if we just tell
>> logrotate to do the truncate.
>Have your HUP simply re-open the log files (O_APPEND).  Also if

That'd indeed be simple.

But the log dir is out of reach for non-root guys by design.  Once the privs are dropped you can't even enter the dir let alone open anything.  If your unprivileged app is compromised, the worst he could do is truncate the open log file he himself has open.

>possible, have your initial log open happen with reduced privileges,
>but
>root may be required if the log file isn't pre-created.

Nope the issue is perms on the log dir, the way Fedora sets up Apache.

Copytruncate in logrotate seems to solve it at the cost of the race.

-Andy

>In logrotate you can add:
>
>create 0640 lwsd root
>
>To have logrotate pre-create an empty log file for you which lwsd will
>then end up opening (for which it will have write access now), and any
>user in the root group will be able to read it.
>
>I hope that helps.
>
>Kind Regards,
>Jaco




More information about the Libwebsockets mailing list