On Sun, 2011-05-08 at 12:26 +0200, Gergely Nagy wrote:
If cap_syslog exists, the kernel will complain (once) that we only have cap_sys_admin. Additionally, using cap_syslog instead of cap_sys_admin significantly lowers the unneeded privs we are using.
Upon startup, syslog-ng will detect whether CAP_SYSLOG is available, and use capabilities based on that finding. This detection will also have a side-effect, which will make it so that g_process_cap_modify(CAP_SYSLOG) will fall back to CAP_SYS_ADMIN, if CAP_SYSLOG support was not detected.
Thanks to Andrew Morgan for pointing out a nice way to detect whether the kernel has CAP_SYSLOG. Original code by Serge Hallyn, with minor changes based on Balazs Scheidler's review by Gergely Nagy.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Gergely Nagy <algernon@balabit.hu> ---
Applied with cosmetic changes (moved the function into the ENABLE_LINUX_CAPS block, the invocation of setup_caps() was changed a bit, so setup_caps() will call g_process_have_cap_syslog() on its own). Thanks -- Bazsi