[syslog-ng] [Bug 108] 2.6.38+ will require CAP_SYSLOG (CAP_SYS_ADMIN not enough)

Gergely Nagy algernon at balabit.hu
Wed Jan 19 18:57:15 CET 2011


On Wed, 2011-01-19 at 09:35 -0800, Matthew Hall wrote:
> On Wed, Jan 19, 2011 at 06:17:40PM +0100, bugzilla at bugzilla.balabit.com wrote:
> > --- Comment #1 from Arkadiusz Miśkiewicz <arekm at maven.pl>  2011-01-19 18:17:40 ---
> > Solution used in PLD/Linux:
> > http://cvs.pld-linux.org/cgi-bin/cvsweb/packages/syslog-ng/cap_syslog.patch
> 
> +	sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
> +	kernel_version = LINUX_VERSION(x, y, z);
> 
> That patch is not resilient in format changes in the string.
> 
> If I take stuff out or add weird stuff then *.scanf functions will corrupt the stack.
> 
> It would be better to use a regex with capture groups and check for the right count of them, then pass that to the version macro.

I'd suggest another approach (though, I've yet to figure out if it is
possible): try to detect whether CAP_SYSLOG is supported, and use it
over CAP_SYS_ADMIN if it is, then fall back to CAP_SYS_ADMIN.

This would have the advantage of not requiring kernel version sniffing,
which can be misleading.

My guess would be that if cap_set_proc() fails with CAP_SYSLOG set, then
we can fall back to CAP_SYS_ADMIN. But like I said, this is unverified,
untested, and so on.

I just don't trust version sniffing in any shape or form.

-- 
|8]




More information about the syslog-ng mailing list