[Bug 1890177] Re: rsyslogd: file '/dev/console': open error: Permission denied

Ɓukasz Zemczak 1890177 at bugs.launchpad.net
Tue Aug 4 15:19:17 UTC 2020 

Ok, thinking about it for a moment, I can't actually think of a way how
this could have any adverse effects. rsyslog is anyway a very privileged
thing (just by checking the capabilities), so adding it to tty should
not really have any effect (as it already is meant to have rw access to
tty's). Maybe I'm missing something here, but so far this feels safe.

As for the SRUability of that, I think this does count as a bugfix so in
theory should be SRU material.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1890177

Title:
  rsyslogd: file '/dev/console': open error: Permission denied

Status in rsyslog package in Ubuntu:
  New
Status in rsyslog source package in Focal:
  New

Bug description:
  The Privilege Drop options ($PrivDrop*) in focal's rsyslog both point
  to 'syslog' for the user and group, and don't match the
  ownership/permission of '/dev/console' generating the following:

  syslog:Aug  3 15:16:58 <HOSTNAME> rsyslogd: file '/dev/console': open
  error: Permission denied [v8.2001.0 try https://www.rsyslog.com/e/2433
  ]

  Looking in Bionic/18.04LTS, '/dev/console' used to be root:syslog[1],
  nowadays it's root:tty[2]

  [1] - Bionic/18.04LTS (Gcloud instance)
  # ls -l /dev/console
  crw--w---- 1 root syslog 5, 1 Aug  3 15:17 /dev/console

  [2] - Focal/20.04LTS (Gcloud instance)
  # ls -l /dev/console
  crw--w---- 1 root tty 5, 1 Aug  3 17:19 /dev/console

  # /etc/rsyslog.conf
  $PrivDropToUser syslog
  $PrivDropToGroup syslog

  ** As a debug exercise I did the following:
  - Cannot reproduce the situation if I intentionally get rid of the PrivDrop* options.
  - Cannot reproduce the situation if I intentionally add 'syslog' user member of 'tty' group.

  Meaning that it's pretty obvious with the above statement that the
  permission denied is caused by the permission/ownership mismatch
  between '/dev/console' 's ownership permission & syslog user
  (PrivDropTo[User|Group]).

  Other bug:
  https://github.com/GoogleCloudPlatform/compute-image-packages/issues/889

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1890177/+subscriptions

More information about the foundations-bugs mailing list