Re: [syslog-ng] [PATCH RFC] Use cap_syslog when it is available

18 Apr 2011

      Serge Hallyn <serge.hallyn@ubuntu.com> writes:
...
+void
+g_process_setup_caps(void)
+{
+#ifdef CAP_SYSLOG
+  gchar * capsstr = "cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
+                    "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
+                    "cap_syslog,cap_sys_admin=ep";
+#else
+  gchar * capsstr = "cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
+                   "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
+                   "cap_sys_admin=ep";
+#endif
+
+  g_process_set_caps(capsstr);
+}
I seem to remember having tried something similar in the past, and
deciding against it... as far as I remember, the issue was that if
compiled with a libcap that supports CAP_SYSLOG, the binary would still
be runnable on a system with an old libcap, which then wouldn't
recognise cap_syslog and syslog-ng would refuse to start.

I'm not 100% certain, as it was a while ago that I was working on this
case, so please correct me if I'm wrong.

(Yes, I do understand that this is a non-issue for most people, and it
certainly is no problem for distributions)

-- 
|8]

Re: [syslog-ng] [PATCH RFC] Use cap_syslog when it is available

Gergely Nagy