[syslog-ng] [PATCH] gprocess: Implement stricter CAP_SYSLOG checking.
Gergely Nagy
algernon at balabit.hu
Sun Sep 25 13:43:33 CEST 2011
Some distributions ship libcap with headers generated from the kernel
sources, instead of the headers of libcap itself, resulting in the
headers and the library diagreeing about what capabilities are
supported.
For this reason, before deciding whether CAP_SYSLOG is supported,
verify that libcap can actually parse it, and fall back to
CAP_SYS_ADMIN if it can't.
The benefit of this is that even if ran on such a system, syslog-ng
will still continue to work (albeit triggering a kernel warning)
instead of terminating.
Signed-off-by: Gergely Nagy <algernon at balabit.hu>
---
lib/gprocess.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/lib/gprocess.c b/lib/gprocess.c
index e9315d9..b0925fb 100644
--- a/lib/gprocess.c
+++ b/lib/gprocess.c
@@ -328,6 +328,14 @@ g_process_check_cap_syslog(void)
if (ret == -1)
return FALSE;
+ ret = cap_from_name("cap_syslog", NULL);
+ if (ret == -1)
+ {
+ fprintf (stderr, "CAP_SYSLOG seems to be supported by the system, but "
+ "libcap can't parse it. Falling back to CAP_SYS_ADMIN!\n");
+ return FALSE;
+ }
+
have_capsyslog = TRUE;
return TRUE;
}
--
1.7.6.3
More information about the syslog-ng
mailing list