https://bugzilla.balabit.com/show_bug.cgi?id=108 --- Comment #24 from Gergely Nagy <algernon@balabit.hu> 2011-07-08 12:36:31 --- (In reply to comment #23)
(In reply to comment #22)
(In reply to comment #21)
Created an attachment (id=39) --> (https://bugzilla.balabit.com/attachment.cgi?id=39) [details] [details] [details] Fix backported to 3.2.
---[snip]---
I backported it to 3.2, the (untested) patch is attached. It is also available from the bz/108/cap_syslog branch of my syslog-ng 3.2 git repo: http://git.balabit.hu/?p=algernon/syslog-ng-3.2.git;a=shortlog;h=bz/108/cap_...
Gergely,
The above syslog-ng 3.2 patch still has problems. In Fedora 15 systems the daemon fails to restart (RPM upgrade) and manually starting it produces the following error: -------- syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,\ cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep --------
There's something broken on Fedora, I believe. Including <sys/capability.h> results in CAP_SYSLOG being defined, the kernel knows it too, so g_process_check_cap_syslog() will return TRUE, and we assume that libcap knows about the capability aswell (since sys/capability.h belongs to libcap-devel). But it doesn't. Fedora seems to have libcap 2.17, while CAP_SYSLOG was introduced in 2.20. And there's a discrepancy between the headers (which suggest CAP_SYSLOG is supported) and libcap. I can modify the patch to fall back to cap_sys_admin=ep in case libcap does not support cap_syslog, but then we'd get the kernel warning again. The proper course of action would be to fix Fedora: either by upgrading libcap, or fixing the headers to not define CAP_SYSLOG (but then we're back to kernel warnings...). In any case, in an up-to-date environment, where both the kernel and libcap support cap_syslog, my backport works. But if libcap doesn't support it, there's nothing syslog-ng can do. To reiterate: the patch can handle the case where syslog-ng is compiled against a libcap that has cap_syslog, and ran on a kernel that doesn't, it can properly fall back to cap_sys_admin if libcap doesn't support it (and it doesn't lie), even if the kernel does. But it can't possibly handle the case where sys/capability.h tells us it's supported, the kernel knows about it, but the libcap library doesn't. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.