[syslog-ng] user-bound UDP socket

[Bryan Henderson]

>I am somewhat reluctant to include such a patch, so you need external
>tools to actually set the fd up,

For me, the ability to use an external tool to create the socket is a
benefit, not a burden.  I do it even where there is no privilege
separation issue, because I don't think individual servers should all
duplicate the same common functions; I want to rely on syslog-ng to
handle syslog and socketexec to handle setting up sockets.

>and it does not handle reloads.

Yes, it's broken that way.  And thanks for pointing it out, because it
would have caused me grief.  The fix looks simple enough, though: use
dup() to provide syslog-ng something to close while the user's socket
remains unmolested.

>I would rather use some kind of dynamic capability management. (e.g. a
>minimal set of syslog-ng would run as root, while the actual message
>processing would happen in a restricted part.

That would close the window of vulnerability substantially, but is
still in a different league from a program that you don't give
privileges to at all.  And it adds to syslog-ng the complexity of
understanding the privilege system on whatever system it's running on.
Not all of them do the classic uid zero/nonzero thing.  (I have some
that use Linux capabilities, and the program that execs syslog-ng
knows what to do with them).

-- 
Bryan Henderson                                   San Jose, California