ttyrpld - TTY replay daemon

ttyrpld [rusty colors]

Name > rpld - tty logging daemon

Synopsis >

rpld [-D rpldev] [-I] [-O ofmt] [-Q] [-U user] [-c configfile] [-s] [-v]

Description >

rpld is the user-space daemon that reads /dev/rpl and plexes the data to different files depending on which tty they were logged. It also adds a timestamp so that replaying can be done in real-time.

Options >

`-D rpldev`	Path to the rpl device, e.g. `/dev/rpl`. You usually do not need this option since `rpld` tries to find the RPL Kernel module automatically.
`-I`	Start the infod component if it is not automatically started when the `INFOD_START` configuration variable is set.
`-O string`	Overrides the hardcoded and configuration file values (processed so far) for the log file naming scheme. You can use the printf-like placeholders exaplined below. Subsequent `-c` may override this, if an `OFMT` variable is found in that configuration file.
`-Q`	Debug option: Do not create log files. (Opens `/dev/null` instead).
`-U user`	Drop all privilegues and change to user after initialization (memory lock, creating and opening rpl device). This can be either a username or a numeric UID.
`-c file`	Load configuration variables from file. The in-memory copies of the variables are not changed if no such var name is found in the file. Unknown var names in the configuration file are also ignored.
`-s`	Print warnings and error messages to `syslog` rather than `stderr`.
`-v`	Print statistics about recorded packets on `stdout` while rpld is running. Make sure the user can create files according to `-O`/`OFMT`.

Privilegue separation >

rpld offers the possibility to change to another user's identity after the initialization phase is complete, even though if it is not really required since there is very few to exploit (if at all!), and on top it's local. The default package (from Jan Engelhardt) uses the daemon user. You can change this in the configuration file.

Logging >

rpld does not detach itself to help debugging, but using the startproc, setsid starter tools or bash's disown builtin can help bringing it in the background, if you need to. The only time when the daemon will output something is either during initialization or when there is really trouble, like memory allocation failure. In either case, error messages are rare and you would not need to worry about redirecting stderr.

You can run rpld with the -v option to enable printing statistics on stdout. Even if you do not have -v specified, you can send rpld a SIGALRM signal to make it print the current statistics. That of course only makes sense when stdout is connected to something but /dev/null or /dev/zero. You can send it multiple SIGALRMs, of course, but you should consider using -v then, maybe.

In verbose mode (-v) the statistics are printed with the move-to-beginning-of-line character (\r), which is not that suitable for logging, though.

Basically, every tty is monitored, but certain kinds are excluded, like the master side of BSD (major number 2) and Unix98 ptys (major number 128 to 135), because they are just a mirror of their slave sides with things turned around and are rarely useful.

Each packet recorded is also added a timestamp, but ttyreplay is not yet that advanced to display it. Hopefully, the user has a clock set up in his shell prompt. ;-)

rpld will divert logging of a tty to a new file when the tty inode is opened the next time and if the owner of it has changed. This will make logins on vc-* [/dev/ttyN] go to the right file. Note that `su` does not change the ownership, so it both sessions (normal and su'ed) will go into the same file. (And that's good, because it then logs by "real person" rather than login name.) The byte count statistics are zeroed upon change detection.

Configuration file >

Configuration files have a simple KEY=VALUE syntax. Empty lines, lines beginning with a hash mark (#) or unrecognized keys are ignored. rpld will try to load rpld.conf from the current working directory onto the hardcoded defaults. Possible configuration variable (key) are:

`OVDEVICE`	By default, rpld dynamically finds out about the rpl device (i.e. major/minor) number. You can override this detection by specifying one or more devices, separated by colon (`:`). If multiple devices are given, the first one which can be opened successfully is read from.
`FBDEVICE`	If the RPL device could not be opened, uses the fallback devices specified in FBDEVICE, separated by colon if multiple should be tried.
`OFMT`	`OFMT` combines the directory to write the tty recordings into (relative to the working directory of rpld) and the name of the log files. Note that the working directory of rpld depends on where it was started from, i.e. with `startproc`, the CWD is mostly the root path (`/`). It is wise to use absolute paths here. The following printf-style tags can be used in `OFMT`: `%d` -- Time when tty was opened (usually when someone logs in or an xterm was opened). In `YYYYMMDD` format. `%l` -- Terminal (line) the user logged on. The string is taken from a string database. Typical strings are `vc-%d` for virtual consoles, `pts-%d` for pseudo-terminals, `ttyS%d` for serial lines. If there is no matching string entry, the device number is used. `%u` -- User who owned the tty when it was opened. If the device could not be `stat()`'ed, `%u` will substitute to "`NONE`". If the UID could not be translated into a name, the UID is spit out instead.
`USER`	User to change to after all initialization. Make sure that the user can create files according to `OFMT`.
`START_INFOD`	Starts the infod component.
`INFOD_PORT`	Specify the path of the socket which infod provides for clients. The default value is `/var/run/.rplinfod_socket`.

Technical Details >

rpld looks into /proc/misc to find the minor number of "rpl" (that is the name of the module passes to the misc device layer). It then tries to create a device node in ., /dev/shm, /tmp, in that order, which it opens and immediately unlinks after.

See also > ttyreplay(1)