On Wed, Mar 09, 2005 at 01:06:11PM +0000, Nix wrote: >> An interesting technique that allows a program (such as a log writer) >> to run as an unprivileged user, while receiving privileged data. (taken >> almost verbatim from Gerrit Pape's socklog) >> >> #!/bin/sh >> exec </proc/kmsg >> exec 2>&1 >> exec softlimit -m 2000000 setuidgid nobody socklog ucspi >> >> This script, run by root takes its stdin from /proc/kmsg then combines >> its stdout and stderr, and exec-switches to the socklog program run >> as an ucspi application listening to the domain stream socket, as >> nobody:nogroup, with memory consumption limited to 2Mb. (and sends >> log to stdout) > >This is definitely redirection, not piping. As far as I know the >implementation of redirection in the kernel remains unchanged: certainly >the need to buffer piped data doesn't exist in this case, and since the >redesign was of the buffering, this is probably not your problem :) > >> It worked flawlessly until several kernel revs back when the kernel >> started protecting kmsg and wouldn't allow the user program to receive >> it, > >Indeed. > >> result: nothing sent to the logging program and no error. The fix >> was to run socklog as root instead of nobody. > >You should be able to open it as root and read from it as another user: >i.e., your technique above shouldn't break. (I'd hope.)
Here is a nice proof that kmsg did become a problem around 2.6.0 http://article.gmane.org/gmane.comp.misc.pape.general/595 http://thread.gmane.org/gmane.comp.misc.pape.general/590 It (Gerrit Pape's technique) very defiantly stopped working a few revs back (2.6.7?). I'm seeing a similar failed read from /dev/rtc and mplayer with 2.6.10, now too. http://lkml.org/lkml/2005/3/8/226 while read file; do mplayer $file ; done <mediafiles.txt Failed to open /dev/rtc: Permission denied for file in `cat mediafiles.txt`; do mplayer $file ; done works. // George -- George Georgalis, systems architect, administrator Linux BSD IXOYE http://galis.org/george/ cell:646-331-2027 mailto:[EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/