Ubuntu
rsyslog package

rsyslogd: file '/dev/console': open error: Permission denied

Bug #1890177 reported by Eric Desrochers
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)
Confirmed
Undecided
Unassigned
Focal
Fix Released
Medium
Eric Desrochers

Bug Description

[Impact]

At the moment rsyslog cannot have access /dev/console due to a mismatch permission/ownership between '/dev/console' and the Privilege Drop User and Group 'syslog' in rsyslog.

[Test Case]

* Deploy focal/20.04LTS (tested in gcloud instance)
* Install rsyslog
* systemctl restart rsyslog OR systemctl restart rsyslog
* Inspect /var/log/syslog for the following error:
syslog:Aug 4 14:37:56 <HOSTNAME> rsyslogd: file '/dev/console': open error: Permission denied [v8.2001.0 try https://www.rsyslog.com/e/2433 ]

[Regression potential]

https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1890177/comments/4

[Other information]

Other bug:
https://github.com/GoogleCloudPlatform/compute-image-packages/issues/889

[Original description]

The Privilege Drop options ($PrivDrop*) in focal's rsyslog both point to 'syslog' for the user and group, and don't match the ownership/permission of '/dev/console' generating the following:

syslog:Aug 3 15:16:58 <HOSTNAME> rsyslogd: file '/dev/console': open error: Permission denied [v8.2001.0 try https://www.rsyslog.com/e/2433 ]

Looking in Bionic/18.04LTS, '/dev/console' used to be root:syslog[1], nowadays it's root:tty[2]

[1] - Bionic/18.04LTS (Gcloud instance)
# ls -l /dev/console
crw--w---- 1 root syslog 5, 1 Aug 3 15:17 /dev/console

[2] - Focal/20.04LTS (Gcloud instance)
# ls -l /dev/console
crw--w---- 1 root tty 5, 1 Aug 3 17:19 /dev/console

# /etc/rsyslog.conf
$PrivDropToUser syslog
$PrivDropToGroup syslog

** As a debug exercise I did the following:
- Cannot reproduce the situation if I intentionally get rid of the PrivDrop* options.
- Cannot reproduce the situation if I intentionally add 'syslog' user member of 'tty' group.

Meaning that it's pretty obvious with the above statement that the permission denied is caused by the permission/ownership mismatch between '/dev/console' 's ownership permission & syslog user (PrivDropTo[User|Group]).

Other bug:
https://github.com/GoogleCloudPlatform/compute-image-packages/issues/889

See original description
Eric Desrochers (slashd)
tags: added: seg sts
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

One easy fix would possibly be the following:

# debian/rsyslog.postinst
case "$1" in
    configure)
        adduser --system --group --no-create-home --quiet syslog || true
        adduser syslog adm || true
       +adduser syslog tty || true

I have tested it in a PPA, and it works just fine:

Preparing to unpack .../rsyslog_8.2001.0-1ubuntu1+test2020307b1_amd64.deb ...
Unpacking rsyslog (8.2001.0-1ubuntu1+test2020307b1) over (8.2001.0-1ubuntu1) ...
Setting up rsyslog (8.2001.0-1ubuntu1+test2020307b1) ...
The user `syslog' is already a member of `adm'.
Adding user `syslog' to group `tty' ...
==> Adding user syslog to group tty <==
Done.
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3.1) ...

# /etc/group
tty:x:5:syslog

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Ok, thinking about it for a moment, I can't actually think of a way how this could have any adverse effects. rsyslog is anyway a very privileged thing (just by checking the capabilities), so adding it to tty should not really have any effect (as it already is meant to have rw access to tty's). Maybe I'm missing something here, but so far this feels safe.

As for the SRUability of that, I think this does count as a bugfix so in theory should be SRU material.

Eric Desrochers (slashd)
Changed in rsyslog (Ubuntu Focal):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Eric Desrochers (slashd)
Eric Desrochers (slashd)
description: updated
description: updated
Revision history for this message
Eric Desrochers (slashd) wrote :

Thanks @sil2100 for your pre-approval comment.

I have uploaded it into focal upload queue.
It is now waiting for the official SRU team approval in order to start building in focal-proposed for the verification test phase.

- Eric

Eric Desrochers (slashd)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Eric, or anyone else affected,

Accepted rsyslog into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/rsyslog/8.2001.0-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in rsyslog (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (rsyslog/8.2001.0-1ubuntu1.1)

All autopkgtests for the newly accepted rsyslog (8.2001.0-1ubuntu1.1) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

systemd/245.4-4ubuntu3.2 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#rsyslog

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Eric Desrochers (slashd) wrote :

I have retried the autpkgtest test on ppc64el. It is failing on 'systemd-fsckd'.

Revision history for this message
Zach Bjornson (zbbjornson) wrote :

I've installed the proposed package on an affected system. I think this only affects us after a log rotation, so will let it sit over the weekend and report back on Monday. Thank you for the patch.

Revision history for this message
Eric Desrochers (slashd) wrote :

@zack

You could wait until the logrotate happen that will then restart rsyslog itself or you could simply do a manual restart using 'systemctl restart rsyslog' and then look in /var/log/syslog.

What triggers the error is at rsyslog startup from what I have notice during my test.

- Eric

Revision history for this message
Zach Bjornson (zbbjornson) wrote :

Looks like the fix works. Two rotations happened since I installed the update and we've had no errors since then.

Thanks again,
Zach

Eric Desrochers (slashd)
tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsyslog - 8.2001.0-1ubuntu1.1

---------------
rsyslog (8.2001.0-1ubuntu1.1) focal; urgency=medium

  * d/rsyslog.postinst: (LP: #1890177)
    - Fix Permission denied access to /dev/console
    for privilege drop user and group syslog:syslog.

 -- Eric Desrochers <email address hidden> Tue, 04 Aug 2020 16:19:46 +0000

Changed in rsyslog (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for rsyslog has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rsyslog (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.