[syslog-ng]Syslog-NG security user permissions.

Russo, Ben Ben.Russo@tnsi.com
Thu, 27 Jun 2002 09:00:14 -0400

With the recent brewhaha about SSH I can't help but wonder about other
daemons running on my boxes that don't have privelage separation.

Is it possible to give Syslog-ng a command line option (like named or ntpd)?
So that after Syslog-ng binds to the network socket (with root privs) then
it sets it's UID to something other than root?

I realize that many of the options in syslog-ng might be more complex if
this were done.  I can think of many permissions and output file name and
directory macros whose code would have to be modified if syslog-ng were to
properly run as a regular user instead of ROOT and be able to properly
handle error messages and such for permissions and directories and

However, it is inevitable with the facts that Syslog-NG is a network Daemon,
that receives input and has macros based on that input to write to files,
that a remote vulnerability in Syslog-NG will become known....  If Syslog-NG
is running as a non-root UID then this is not a problem, (other than a big