<div dir="ltr">Also, you can tell it not to manage capabilities with the --no-caps command line option.<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div>
<br><div class="gmail_quote">On Wed, Apr 18, 2018 at 3:18 PM, Gergely Nagy <span dir="ltr"><<a href="mailto:algernon@balabit.com" target="_blank">algernon@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<br>
>>>>> "Russenberger" == Russenberger Dominik <<a href="mailto:dominik.russenberger@terreactive.ch">dominik.russenberger@<wbr>terreactive.ch</a>> writes:<br>
<br>
Russenberger> Hi List,<br>
Russenberger> I recently noticed something very strange: although I run syslog-ng as<br>
Russenberger> an unprivileged user (with -u log -g log), newly created logfiles were<br>
Russenberger> owned by root. syslog-ng shows up running as user log in ps, as expected.<br>
<br>
Russenberger> In my opinion, there are 2 bugs in syslog-ng:<br>
Russenberger> * if I tell a daemon to run as unprivileged user I do not expect it to<br>
Russenberger> write files as user root. What syslog-ng is doing basically is faking<br>
Russenberger> being an unprivileged user, while retaining capabilities which are<br>
Russenberger> equivalent to full root permissions.<br>
Russenberger> Syslog-ng should imho either run as root, with capabilities;<br>
Russenberger> OR as unprivileged user without capabilities (except those<br>
Russenberger> explicitly given in --caps)<br>
Russenberger> * syslog-ng drops to the capabilities it gets told in --caps,<br>
Russenberger> but later g_process_cap_modify() ignores what was specified.<br>
<br>
While I agree about your conclusion that syslog-ng should not use more<br>
capabilities than it is told - or what it needs to -, I'd like to shed<br>
some light on why it tries to raise its capabilities despite you telling<br>
it to run with less.<br>
<br>
The reason is actually pretty simple: syslog-ng supports the `owner()`<br>
and `group()` options for some destinations, so that it can create<br>
output files as a different user than syslog-ng is running under. For<br>
this reason, whenever creating such files, it first tries to raise its<br>
capabilities, just to make sure it can create them. We currently do not<br>
keep track of whether this is required or not, we try to raise anyway.<br>
<br>
We should probably change that, and only raise capabilities if we really<br>
need to. This should solve the issue you are seeing.<br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
|8]<br>
</font></span><div class="HOEnZb"><div class="h5">______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br></div>