Bug#1056066: systemd: rsyslog fails to start if /dev/xconsole exists

Michael Biebl biebl at debian.org
Fri Nov 17 02:13:35 GMT 2023 

Control: reassign -1 rsyslog
Control: found -1 8.2310.0-2

Am 16.11.23 um 19:53 schrieb Sven Joachim:
> On 2023-11-16 18:12 +0100, Michael Biebl wrote:
> 
>> Am 16.11.23 um 17:17 schrieb Sven Joachim:
>> It appears, that PrivateTmp=yes was locked down further and is now
>> remounted read-only (thanks bluca for the reference):
>> https://github.com/systemd/systemd/commit/4a9e03aa6bb2cbd23dac00f2b2a7642cc79eaade
> 
> Thanks, I had suspected something along these lines.


It's unlikely that systemd upstream is going to revert this behaviour 
change, so I'm going to reassign this issue to rsyslog to handle it there.

>> We basically have two options as I see it:
>>
>> a/ Drop PrivateDevices=yes from rsyslog.service
>>
>> b/ Move /dev/xconsole to run and turn /dev/xconsole into a symlink
>>
>>
>> The latter b/ will require updates to the local copies in
>> /etc/tmpfiles.d/ and /etc/rsyslog.d/
>>
>> They would look like this now:
>>
>> $ cat /etc/rsyslog.d/xconsole.conf
>> daemon.*;mail.*;\
>> 	news.err;\
>> 	*.=debug;*.=info;\
>> 	*.=notice;*.=warn	|/run/xconsole
>>
>> $ cat /etc/tmpfiles.d/xconsole.conf
>> # Type Path     Mode UID  GID  Age Argument
>> p /run/xconsole 0640 root adm
>> L /dev/xconsole -    -    -    -   /run/xconsole
>>
>> Conceptually, moving the named pipe out of /dev and into /run is the
>> cleaner solution I think. The /dev/xconsole symlink should make it
>> reasonably backwards compatible.
>>
>> Thoughts?
> 
> I think b/ and an appropriate debian/NEWS entry in rsyslog are
> preferable to softening security, even if it means some disruption for
> the minority of users who still monitor logs via xconsole.  But there
> may be more complaints once the changes arrive in testing.


Since b/ is my favorite as well, let's go with this.

> Personally I have made your proposed changes, and after restarting
> rsyslog and xconsole everything works fine again.

Thanks for testing.

Will poke you, once I have a MR ready. Maybe you want to proof read the 
NEWS entry.

Regards,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20231117/9a82f1db/attachment-0001.sig>

More information about the Pkg-systemd-maintainers mailing list