[syslog-ng] [PATCH RFC] Use cap_syslog when it is available
Gergely Nagy
algernon at balabit.hu
Mon Apr 18 16:28:19 CEST 2011
Serge Hallyn <serge.hallyn at ubuntu.com> writes:
> +void
> +g_process_setup_caps(void)
> +{
> +#ifdef CAP_SYSLOG
> + gchar * capsstr = "cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
> + "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
> + "cap_syslog,cap_sys_admin=ep";
> +#else
> + gchar * capsstr = "cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
> + "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
> + "cap_sys_admin=ep";
> +#endif
> +
> + g_process_set_caps(capsstr);
> +}
I seem to remember having tried something similar in the past, and
deciding against it... as far as I remember, the issue was that if
compiled with a libcap that supports CAP_SYSLOG, the binary would still
be runnable on a system with an old libcap, which then wouldn't
recognise cap_syslog and syslog-ng would refuse to start.
I'm not 100% certain, as it was a while ago that I was working on this
case, so please correct me if I'm wrong.
(Yes, I do understand that this is a non-issue for most people, and it
certainly is no problem for distributions)
--
|8]
More information about the syslog-ng
mailing list