https://bugzilla.balabit.com/show_bug.cgi?id=95 --- Comment #2 from Balazs Scheidler <bazsi@balabit.hu> 2010-09-30 10:43:49 --- thanks for the patch. there are some problems with capability support though, and our installers thus run syslog-ng with the --no-caps command line option. For example, the owner()/group() options do not work for the file destinations. /proc/kmsg cannot be read (although there was a related kernel change recently IIRC) Could you please look into those as well? These would all be needed to run syslog-ng in caps mode. Thanks in advance, it'd really be appreciated. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.

https://bugzilla.balabit.com/show_bug.cgi?id=95 --- Comment #4 from Balazs Scheidler <bazsi@balabit.hu> 2010-10-15 21:02:27 --- here's the ubuntu patch that I was talking about. it may have been integrated to the upstream kernel already: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/515623 This seems to have been integrated into upstream kernel as well: Author: Kees Cook <kees.cook@canonical.com> 2010-02-04 00:36:43 Committer: James Morris <jmorris@namei.org> 2010-02-04 04:20:12 Parent: 0719aaf5ead7555b7b7a4a080ebf2826a871384e (selinux: allow MLS->non-MLS and vice versa upon policy reload) Child: d78ca3cd733d8a2c3dcd88471beb1a15d973eed8 (syslog: use defined constants instead of raw numbers) Branch: remotes/linus/master Follows: v2.6.33-rc4 Precedes: v2.6.34-rc1 syslog: distinguish between /proc/kmsg and syscalls This allows the LSM to distinguish between syslog functions originating from /proc/kmsg access and direct syscalls. By default, the commoncaps will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg file descriptor. For example the kernel syslog reader can now drop privileges after opening /proc/kmsg, instead of staying privileged with CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged behavior. Signed-off-by: Kees Cook <kees.cook@canonical.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> it seems to have been integrated into 2.6.34, so 2.6.35 definitely has the fix. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.

https://bugzilla.balabit.com/show_bug.cgi?id=95 --- Comment #6 from Balazs Scheidler <bazsi@balabit.hu> 2010-10-18 15:56:30 --- forgot to add, that I've integrated it to the 3.2 branch: commit abce2bfa9c59b4290609056da590277c1a8e50f9 Author: Zbigniew Krzystolik <zbyniu@pld-linux.org> Date: Mon Oct 18 15:51:49 2010 +0200 fix capability operations on unix-stream() source - CAP_CHOWN - needed if owner() or group() are in use - CAP_FOWNER - to force chmod() for sockets with owner != root (yes, that enough to switch succession of chown and chmod but who cares) - CAP_DAC_OVERRIDE - force changes if parent dir has 000 perm, ie vservers -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.