https://bugzilla.balabit.com/show_bug.cgi?id=31 Balazs Scheidler <bazsi@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #1 from Balazs Scheidler <bazsi@balabit.hu> 2009-02-03 15:41:40 --- (In reply to comment #0)

mkdir /test/ mkfifo /test/fifo chmod 0 /test

and use pipe('/test/fifo') as source. syslog-ng 3.0.1 will fail with permission denied because it can't access /test/fifo due to dropped capabilities.

This is real example from Linux Vserver based system where /vservers has always 0 permission.

The solution would be probably to not drop some caps until sources are opened.

but then the same thing would happen once syslog-ng gets SIGHUP-ed. you can granularly control which capabilities are dropped, and also you can also disable capability dropping altogether: syslog-ng --help-all ... -C, --caps=<capspec> Set default capability set -N, --no-caps Disable managing Linux capabilities ... -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.

https://bugzilla.balabit.com/show_bug.cgi?id=31 --- Comment #3 from Balazs Scheidler <bazsi@balabit.hu> 2009-02-03 16:38:26 --- (In reply to comment #2)

I would like these caps to be dropped but after opening sources. No need for them to be active after opening sources, right? (well, for reopening maybe)

when syslog-ng receives a SIGHUP it reopens most of its input files. e.g. after /etc/init.d/syslog-ng reload the new configuration would not become effective. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.