https://bugzilla.balabit.com/show_bug.cgi?id=210 Gergely Nagy <algernon@balabit.hu> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution| |INVALID Status|ASSIGNED |RESOLVED --- Comment #1 from Gergely Nagy <algernon@balabit.hu> 2012-10-27 15:27:42 --- Right. I have a fix for this, but I'm not sure that we want it. What happens now, is that syslog-ng drops a lot of capabilities as soon as it starts, and that is good - the less privileges, the better. However, this means that root no longer bypasses the file/directory owner checks: if something is not readable by either root's uid/gid, or by other, syslog-ng won't be able to read it. While this behaviour is kind of suprising, it does prevent ordinary users being able to mess with the syslog-ng configuration, and that is a good thing. We can easily make syslog-ng grab CAP_DAC_READ_SEARCH when reading its config file, but that kills this safety belt, and that's not something I'm comfortable with. However, there's a workaround, that allows us to workaround the limitation: run syslog-ng either with capabilities disabled, or with --caps="cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override,cap_chown,cap_fowner=p cap_dac_read_search,cap_syslog=ep" (For some older kernels, you'll want cap_sys_admin=ep instead of cap_syslog=ep) Therefore, I'm marking this as resolved, because the current way - now that #209 is fixed, and the problem can be debugged - is the desired default operation, but there are possibilities to change the behaviour. -- Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.