macOS LOGREADER should be unbuffered

Create issue
Issue #82 open created an issue

On macOS 10.12+, using the recommended LOGREADER example works, but since the output is sent into a pipe, the parser doesn't see the log lines until the pipe buffer has filled. That allows multiple attack attempts to occur before sshguard intercepts.

I was able to fix this by using the unbuffer command from the expect package and editing the sshguard script:

export HOME=/Users/Shared # needs to be set for tcl file expansion tailcmd="/usr/local/bin/unbuffer $LOGREADER"

But this is not a desirable solution because it requires the installation of the expect package.

This problem applies to any situation where LOGREADER is used and the originating process cannot be set to unbuffer stdout.

Comments (5)

  1. reporter

    Modifying LOGREADER to be "HOME=/Users/Shared /usr/local/bin/unbuffer /usr/bin/log stream..." also works.

  2. Daniel Aleksandersen

    I havne’t got the time to test right now, but does any of these solve your problem? I’ll get around to fixing it this weekend if you could test these, @jinschoi.

    # 1)
    $LOGREADER | grep --line-buffered '^'
    # 2)
    $LOGREADER | while read line ; do echo $line
  3. reporter

    No. I already tried the first. The issue is that on most Unix systems, stdout is buffered when it is going to a pipe. There is nothing that can be done on the right side of the pipe that will fix the problem. Unbuffer works by running the process in a pty, which makes the output be line buffered.

  4. Log in to comment