RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2181552 - Imjournal module ignores $FileCreateMode parameter
Summary: Imjournal module ignores $FileCreateMode parameter
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rsyslog
Version: 7.9
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Attila Lakatos
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 2181559 2181560
TreeView+ depends on / blocked
 
Reported: 2023-03-24 13:52 UTC by Jesús Pérez Martínez
Modified: 2023-05-09 06:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2181559 2181560 (view as bug list)
Environment:
Last Closed: 2023-05-09 06:35:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-153242 0 None None None 2023-03-28 09:57:09 UTC
Red Hat Issue Tracker SECENGSP-5134 0 None None None 2023-03-28 09:57:23 UTC

Description Jesús Pérez Martínez 2023-03-24 13:52:44 UTC 
Description of problem:
 
The imjournal module is not checking the Legacy $FileCreateMode parameter, and in consequence the imjournal state file is being created with a different mode than the expected.
 
Currently, defining the mode for this file is not possible.
 
Version-Release number of selected component (if applicable):
From at least rsyslog-8.24.0-57.el7_9.3 to latest.
 
How reproducible:
Always
 
Steps to Reproduce:
1. Set $umask 0000
2. Set the desired $FileCreateMode
3. Configure the imjournal module and $imjournalStateFile
4. Check the mode of the imjournal state file
 
Actual results:
The mode is not the expected because $FileCreateMode is not being checked.
 
Expected results:
The imjournal state file is created with the mode declared with $FileCreateMode.
Comment 3 Attila Lakatos 2023-03-28 09:56:12 UTC 
Hello,

The $FileCreateMode is an action specific legacy parameter for the omfwd module. It does not have an impact on the other specified modules, such as imjournal.
If you want to alter file mode bits on file creation, you need to adjust the umask global option.

Just a note: I highly suggest to switch from the legacy rsyslog syntax to the new RainerScript version. It is much more readable and administrator-friendly. I can help with that if needed.
Comment 4 Stepan Broz 2023-03-28 11:15:51 UTC 
The $FileCreateMode is a legacy GLOBAL configuration parameter and is documented as such, not as a plugin specific option of omfile (not omfwd).
Note that e.g. imptcp, omprog, etc. seem to check the global and have their own, too.

The omfile module has its own "filecreatemode" option that one can use in the modern syntax, however, there is no such option for imjournal and the legacy global is not respected.

The desired outcome of this BZ is:

   1. Ensure that the legacy global is checked by the "imjournal" plugin.

AND

   2. New option to "imjournal" is provided that would allow setting the permissions specifically, hand in hand with the global $Umask setting, similarly to what omfile and other plugins do to allow full control over file permissions. This applies to both legacy and rainerscript configuration.
Comment 5 Attila Lakatos 2023-03-30 12:36:51 UTC 
The problem described above is not a bug in rsyslog, because $filecreatemode is an action specific(e.g omfile, imptcp, ...) parameter.

As a workaround: By default, the rsyslog service file contains the UMask=0066 line. So if you do not set $umask inside the rsyslog configuration file,
then the state file will be created with the following permission: 0600. If you want to alter the mode bits for e.g. omfile action files, you can use
the $DirCreateMode and $FileCreateMode parameters.

As for specifying file mode bits for the state file, I've created an upstream PR [1]. However, if merged, this will work only with the new RainerScript syntax,
because upstream does not accept new features for the legacy syntax. Let me know if that helps.

RHEL-7.9 is already in Maintenance Support 2 Phase and we have a potential workaround, so the change will not land in 7.9. Thanks for your understanding.

[1] https://github.com/rsyslog/rsyslog/pull/5109
Comment 6 Attila Lakatos 2023-05-09 06:35:01 UTC 
Tracker for the feature request is available at https://bugzilla.redhat.com/show_bug.cgi?id=2181560 .

I am closing this BZ, see comment5. If you think that there is additional work needed to be done by the engineering team, then feel free to reopen the issue.
Note You need to log in before you can comment on or make changes to this bug.