On Wed, 2011-01-19 at 09:35 -0800, Matthew Hall wrote:
On Wed, Jan 19, 2011 at 06:17:40PM +0100, bugzilla@bugzilla.balabit.com wrote:
--- Comment #1 from Arkadiusz MiĆkiewicz <arekm@maven.pl> 2011-01-19 18:17:40 --- Solution used in PLD/Linux: http://cvs.pld-linux.org/cgi-bin/cvsweb/packages/syslog-ng/cap_syslog.patch
+ sscanf(uts.release, "%d.%d.%d", &x, &y, &z); + kernel_version = LINUX_VERSION(x, y, z);
That patch is not resilient in format changes in the string.
If I take stuff out or add weird stuff then *.scanf functions will corrupt the stack.
It would be better to use a regex with capture groups and check for the right count of them, then pass that to the version macro.
I'd suggest another approach (though, I've yet to figure out if it is possible): try to detect whether CAP_SYSLOG is supported, and use it over CAP_SYS_ADMIN if it is, then fall back to CAP_SYS_ADMIN. This would have the advantage of not requiring kernel version sniffing, which can be misleading. My guess would be that if cap_set_proc() fails with CAP_SYSLOG set, then we can fall back to CAP_SYS_ADMIN. But like I said, this is unverified, untested, and so on. I just don't trust version sniffing in any shape or form. -- |8]