rsyslog stops writing to fifo on HUP

Bug #672953 reported by Petri Lehtinen on 2010-11-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rsyslog (Ubuntu)

Bug Description

Binary package hint: rsyslog

I've configured rsyslog to output everything to a fifo like this:

*.* |/tmp/rsyslog-all.fifo

This is in its own configuration file in addition to the default configuration.

When logrotate sends the HUP signal to the rsyslog process, it stops writing to my fifo. I can also reproduce this by HUPing rsyslog myself.

Petri Lehtinen (petri) on 2010-11-09
description: updated
William Hidden (william-hidden) wrote :

I'd like to also add that if the configuration file has changed and you send rsyslog a HUP the new additions are not acted upon. A shutdown/restart are needed for the new configuration to take effect. This is contrary to what the man pages indicates about how rsyslog will handle a HUP signal.

Petri Lehtinen (petri) wrote :

I asked from the upstream author if this is known issue, and he said this:

    Ubuntu drops privileges, but their config is often not really up
    to that. Keep running as root for a test and check if the problem
    re-occurs. I guess not.

So I commented out the $PrivDropToUser and $PrivDropToGroup lines from /etc/rsyslog.conf and the problem disappeared. The next thing is to solve how the config should be made "up to" dropping privileges to avoid this issue.

@William Hidden: Have you reported a separate bug for you problem? Could you try if running as root helps to your issues, too?

Petri Lehtinen (petri) wrote :

It seems that this was partly my mistake, as the permissions of the fifo file were wrong. But this means that rsyslog opened the fifo before dropping privileges and was thus able to open it as root. When the HUP signal is sent, reopening the fifo fails because rsyslog is no longer run as root.

This is a known issue, and there's more info here: It seems that the privilege dropping has not been implemented in a very secure manner.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers