Hello, During 2.6.38 development CAP_SYSLOG has been introduced to perform syslog operations, older CAP_SYS_ADMIN is not sufficient anymore. commit 38ef4c2e437d11b5922723504b62824e96761459 commit ce6ada35bdf710d16582cc4869c26722547e6f11 do_syslog now is as follows: int do_syslog(int type, char __user *buf, int len, bool from_file) { [..] if (type == SYSLOG_ACTION_OPEN || !from_file) { if (dmesg_restrict && !capable(CAP_SYSLOG)) goto warn; /* switch to return -EPERM after 2.6.39 */ if ((type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER) && !capable(CAP_SYSLOG)) goto warn; /* switch to return -EPERM after 2.6.39 */ } [..] CAP_SYSLOG introduced to libcap in version 2.20. #define CAP_SYSLOG 34 Sergey
On Tue, 2011-02-01 at 18:34 +0200, Sergey Senozhatsky wrote:
Hello,
During 2.6.38 development CAP_SYSLOG has been introduced to perform syslog operations, older CAP_SYS_ADMIN is not sufficient anymore.
It's a known issue, but no suitable solution (that doesn't break in interesting ways under pressure) has been found yet. Since CAP_SYSLOG breaks userspace, I'm hoping that this will be reverted before the 2.6.38 release. Though, looking at recent lkml traffic, I'll have to Cc a few more people regarding the issue. -- |8]
On (02/01/11 18:20), Gergely Nagy wrote:
On Tue, 2011-02-01 at 18:34 +0200, Sergey Senozhatsky wrote:
Hello,
During 2.6.38 development CAP_SYSLOG has been introduced to perform syslog operations, older CAP_SYS_ADMIN is not sufficient anymore.
It's a known issue, but no suitable solution (that doesn't break in interesting ways under pressure) has been found yet.
Sorry, wasn't subscribed.
Since CAP_SYSLOG breaks userspace, I'm hoping that this will be reverted before the 2.6.38 release. Though, looking at recent lkml traffic, I'll have to Cc a few more people regarding the issue.
I'm afraid we should not count on it (commit revert). Sergey
On Tue, 2011-02-01 at 19:27 +0200, Sergey Senozhatsky wrote:
On (02/01/11 18:20), Gergely Nagy wrote:
On Tue, 2011-02-01 at 18:34 +0200, Sergey Senozhatsky wrote:
Hello,
During 2.6.38 development CAP_SYSLOG has been introduced to perform syslog operations, older CAP_SYS_ADMIN is not sufficient anymore.
It's a known issue, but no suitable solution (that doesn't break in interesting ways under pressure) has been found yet.
Sorry, wasn't subscribed.
No worries, just wanted to let you know we're actively working on resolving the problem :) -- |8]
participants (2)
-
Gergely Nagy
-
Sergey Senozhatsky