Hi List, I recently noticed something very strange: although I run syslog-ng as an unprivileged user (with -u log -g log), newly created logfiles were owned by root. syslog-ng shows up running as user log in ps, as expected. The culprit turned out to be linux capabilities. No problem I thought, I just add a "--caps 'CAP_NET_BIND_SERVICE=epi'" command line parameter (binding ports <1024 is the only capability I need). But then I was getting flooded by messages like this: syslog-ng[25657]: Error managing capability set, cap_set_proc returned an error; caps='= cap_net_bind_service+eip cap_fowner+e', error='Operation not permitted (1)' In my opinion, there are 2 bugs in syslog-ng: * if I tell a daemon to run as unprivileged user I do not expect it to write files as user root. What syslog-ng is doing basically is faking being an unprivileged user, while retaining capabilities which are equivalent to full root permissions. Syslog-ng should imho either run as root, with capabilities; OR as unprivileged user without capabilities (except those explicitly given in --caps) * syslog-ng drops to the capabilities it gets told in --caps, but later g_process_cap_modify() ignores what was specified. Some notes about my environment: - the OS is an Ubuntu remix. I'm recompiling syslog-ng 3.11.1 from Ubuntu Artful, with some changed configure flags (see below) - there are multiple syslog-ng instances running. One for the system itself (as root), and multiple other syslogs receiving incoming logs over udp/tcp (running as user log) My syslog-ng version: syslog-ng 3 (3.11.1) Installer-Version: 3.11.1 Revision: Compile-Date: Apr 10 2017 14:06:00 Module-Directory: /usr/lib/syslog-ng/3.11 Module-Path: /usr/lib/syslog-ng/3.11 Available-Modules: disk-buffer,afsocket,afprog,system-source,kvformat,cef,affile,date,cryptofuncs,basicfuncs,confgen,pseudofile,csvparser,afuser,syslogformat,dbparser,linux-kmsg-format Enable-Debug: off Enable-GProf: off Enable-Memtrace: off Enable-IPv6: on Enable-Spoof-Source: off Enable-TCP-Wrapper: off Enable-Linux-Caps: on Enable-Systemd: off Thanks, Dominik