[syslog-ng] [Bug 42] capabilities, chown, chmod

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Tue May 5 15:14:55 CEST 2009 

https://bugzilla.balabit.com/show_bug.cgi?id=42


Zbigniew Krzystolik <zbyniu at pld-linux.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |




--- Comment #4 from Zbigniew Krzystolik <zbyniu at pld-linux.org>  2009-05-05 15:14:55 ---
(In reply to comment #2)
> (In reply to comment #0)
> > Let's take a look at syslog-ng-3.0.1/src/affile.c lines 60-83
> >
> > 1. CAP_SYS_ADMIN is needed only for /proc/kmsg, it is added w/o check
> > 2. CAP_DAC_READ_SEARCH should be added only if open fail with errno 13
> > 2a. CAP_DAC_OVERRIDE should be added only if open fail with errno 13 and with CAP_DAC_READ_SEARCH set
>
> well, I wouldn't want to complicate enabling those capabilities too much.
> Currently those capabilities are only enabled for /proc/kmsg and nothing else.
> (see the check for AFFILE_PRIVILEGED in affile_sd_new)

Ok, agreed, maybe it's better to keep it simple. But CAP_SYS_ADMIN is enabled always (in src/main.c).

> > 3. fchown needs CAP_CHOWN unconditionaly
> > 4. fchmod needs CAP_FOWNER if file owner != euid (root here)
> 
> I didn't know those. If these are needed for fchown/fchmod, do I need 
> CAP_DAC_OVERRIDE at all? I was enabling DAC_OVERRIDE to be able to 
> change owner/mode information, but as it seems that is not needed, right?

Yes, it is needed to write in log file w/o permissions ie owner(bla) group(ble) perm(0660). And for create dirs if
parent has no perm too.

> > 5. all caps should be restored
> 
> this was done:
> 
>   if (privileged)
>     {
>       g_process_cap_restore(saved_caps);
>     }

Ah, it simply sholud be restored without this condition.

> > summary:
> > - CAP_SYS_ADMIN and CAP_DAC_OVERRIDE are set always even if unnecessary, and permanently
>
> no, this is not true.

It is. Run getpcaps `pidof syslog-ng`

> this should be fixed by this patch:
[...]

Yes, but now have CAP_CHOWN and CAP_FOWNER permanently (run getpcaps).


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list