[syslog-ng] [Bug 42] capabilities, chown, chmod
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Tue May 5 15:14:55 CEST 2009
https://bugzilla.balabit.com/show_bug.cgi?id=42
Zbigniew Krzystolik <zbyniu at pld-linux.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
--- Comment #4 from Zbigniew Krzystolik <zbyniu at pld-linux.org> 2009-05-05 15:14:55 ---
(In reply to comment #2)
> (In reply to comment #0)
> > Let's take a look at syslog-ng-3.0.1/src/affile.c lines 60-83
> >
> > 1. CAP_SYS_ADMIN is needed only for /proc/kmsg, it is added w/o check
> > 2. CAP_DAC_READ_SEARCH should be added only if open fail with errno 13
> > 2a. CAP_DAC_OVERRIDE should be added only if open fail with errno 13 and with CAP_DAC_READ_SEARCH set
>
> well, I wouldn't want to complicate enabling those capabilities too much.
> Currently those capabilities are only enabled for /proc/kmsg and nothing else.
> (see the check for AFFILE_PRIVILEGED in affile_sd_new)
Ok, agreed, maybe it's better to keep it simple. But CAP_SYS_ADMIN is enabled always (in src/main.c).
> > 3. fchown needs CAP_CHOWN unconditionaly
> > 4. fchmod needs CAP_FOWNER if file owner != euid (root here)
>
> I didn't know those. If these are needed for fchown/fchmod, do I need
> CAP_DAC_OVERRIDE at all? I was enabling DAC_OVERRIDE to be able to
> change owner/mode information, but as it seems that is not needed, right?
Yes, it is needed to write in log file w/o permissions ie owner(bla) group(ble) perm(0660). And for create dirs if
parent has no perm too.
> > 5. all caps should be restored
>
> this was done:
>
> if (privileged)
> {
> g_process_cap_restore(saved_caps);
> }
Ah, it simply sholud be restored without this condition.
> > summary:
> > - CAP_SYS_ADMIN and CAP_DAC_OVERRIDE are set always even if unnecessary, and permanently
>
> no, this is not true.
It is. Run getpcaps `pidof syslog-ng`
> this should be fixed by this patch:
[...]
Yes, but now have CAP_CHOWN and CAP_FOWNER permanently (run getpcaps).
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list