/proc/kmsg: Permission denied.

K

Keyinator

Member
Jan 29, 2022
26
0
6
22
Hello, I have the following problem on an Ubuntu 21.10 LXC:
``
Apr 27 17:48:40 game-dev rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
Apr 27 17:48:40 game-dev rsyslogd: activation of module imklog failed [v8.2102.0 try https://www.rsyslog.com/e/2145 ]
``

I found it while trying to enable logging for iptables.
Any idea how this could be fixed?

I can't even open the file as root
1651075029550.png
 
I have just looked and seen that other files ``/proc`` can be opened. Example ``/proc/uptime``.

Edit:
The permissions between kmsg and keys are different but should be readable by root. I am able to open keys however and not kmsg.
View attachment 36303
Imgur-Link if the attachment does not open: https://i.imgur.com/AavYxrG.png
 
Last edited:
Keep the user remapping of unprivileged LXC in mind. UID/GID 0 to 65535 on the host are mapped to UID/GID 100000 to 165535 inside the LXC. So your LXCs root (shown as UID 0 inside the LXC) is in reality just a unprivileged user with UID 100000 on the host. If something is owned by nobody:nogroup your unprivileged root doesn't always has access to it. If you for example bind-mount a folder owned by UID 1000 from the host into the LXC without editing the user remapping it will be shown as owned by nobody:nogroup and even your LXCs root won't be able to access it.
 
  • Like
Reactions: Keyinator
Dunuin said:
Keep the user remapping of unprivileged LXC in mind. UID/GID 0 to 65535 on the host are mapped to UID/GID 100000 to 165535 inside the LXC. So your LXCs root (shown as UID 0 inside the LXC) is in reality just a unprivileged user with UID 100000 on the host. If something is owned by nobody:nogroup your unprivileged root doesn't always has access to it. If you for example bind-mount a folder owned by UID 1000 from the host into the LXC without editing the user remapping it will be shown as owned by nobody:nogroup and even your LXCs root won't be able to access it.
Click to expand...
Ah. That makes sense.
I am not sure what the right way to "fix" this would be.
Using ``chmod 444 /proc/kmsg`` and would this pose any security risks?

Edit:
``chmod 444 /proc/kmsg`` on the node did not help :(
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back