https://bugzilla.balabit.com/show_bug.cgi?id=42 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #2 from Balazs Scheidler <bazsi@balabit.hu> 2009-04-29 17:39:19 --- (In reply to comment #0)
Let's take a look at syslog-ng-3.0.1/src/affile.c lines 60-83
1. CAP_SYS_ADMIN is needed only for /proc/kmsg, it is added w/o check 2. CAP_DAC_READ_SEARCH should be added only if open fail with errno 13 2a. CAP_DAC_OVERRIDE should be added only if open fail with errno 13 and with CAP_DAC_READ_SEARCH set
well, I wouldn't want to complicate enabling those capabilities too much. Currently those capabilities are only enabled for /proc/kmsg and nothing else. (see the check for AFFILE_PRIVILEGED in affile_sd_new) so the effects are already a quite limited, I wouldn't want to complicate matters by adding errno 13 checks.
3. fchown needs CAP_CHOWN unconditionaly 4. fchmod needs CAP_FOWNER if file owner != euid (root here)
I didn't know those. If these are needed for fchown/fchmod, do I need CAP_DAC_OVERRIDE at all? I was enabling DAC_OVERRIDE to be able to change owner/mode information, but as it seems that is not needed, right? I've tested it and it does not seem to be needed, so I've removed DAC_OVERRIDE.
5. all caps should be restored
this was done: if (privileged) { g_process_cap_restore(saved_caps); } however I've found one possible case when it wasn't disabled, thus I moved the 'save-caps' code a bit earlier.
summary: - CAP_SYS_ADMIN and CAP_DAC_OVERRIDE are set always even if unnecessary, and permanently
no, this is not true.
- owner, group and perm doesn't work
this should be fixed by this patch: commit f96ae94df8abdc92402247682537404613db26b9 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Wed Apr 29 17:38:49 2009 +0200 [affile] fixed capability management around file opens (fixes: pub#42) caps are always saved not just in case of "privileged" operation. instead of using DAC_OVERRIDE use CAP_CHOWN and CAP_FOWNER for changing file ownership. Reported-By: Zbigniew Krzystolik -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.