Hi! A short update on the progress of this report:
"Gabor" == Nagy, Gábor <gabor.nagy@balabit.com> writes:
In my opinion, there are 2 bugs in syslog-ng: >> * if I tell a daemon to run as unprivileged user I do not expect it to >> write files as user root. What syslog-ng is doing basically is faking >> being an unprivileged user, while retaining capabilities which are >> equivalent to full root permissions. >> Syslog-ng should imho either run as root, with capabilities; >> OR as unprivileged user without capabilities (except those >> explicitly given in --caps) >> * syslog-ng drops to the capabilities it gets told in --caps, >> but later g_process_cap_modify() ignores what was specified.
Gabor> 1. creating files as root: Gabor> I can confirm that files are created with root even if --user or Gabor> --group is used. Gabor> Although we call setuid() in gprocess at startup, during file opening Gabor> we use file permissions explicitly from the global config, which Gabor> defaults to root. Gabor> I think this is a bug too and we should solve it. I have opened issue #2002[1], lest we forget about it. [1]: https://github.com/balabit/syslog-ng/issues/2002 Gabor> 2. syslog-ng drops capabilities Gabor> Syslog-ng sets capabilities given with options --caps at startup. Gabor> I think the issue here is that some capabilities are hard-wired into Gabor> syslog-ng (as you have found calls of Gabor> g_process_cap_modify()). The capabilities set with `--caps` are the ones syslog-ng is allowed to obtain during its runtime. It will drop *all* capabilities first, and only take up selected ones when needed, to minimize the possible attack vectors. There may be cases where we try to pick up capabilities when we wouldn't need to (and that's a bug), or if we try to obtain too broad capabilities (also a bug), but dropping all capabilities and only picking up selected ones on demand is a consciously implemented feature. Unless we want to run with elevated capabilities all the time (which would be no different from running as root), we need to have a set of capabilites we can obtain and then drop, on demand. We may need to document the required capabilities and how the whole feature works, better. -- |8]