[syslog-ng] [Bug 108] 2.6.38+ will require CAP_SYSLOG (CAP_SYS_ADMIN not enough)
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Fri Jul 8 12:36:31 CEST 2011
https://bugzilla.balabit.com/show_bug.cgi?id=108
--- Comment #24 from Gergely Nagy <algernon at balabit.hu> 2011-07-08 12:36:31 ---
(In reply to comment #23)
> (In reply to comment #22)
> > (In reply to comment #21)
> > > Created an attachment (id=39)
--> (https://bugzilla.balabit.com/attachment.cgi?id=39) [details] [details] [details]
> > > Fix backported to 3.2.
> >
> > ---[snip]---
> >
> > > I backported it to 3.2, the (untested) patch is attached. It is also available from the bz/108/cap_syslog branch of my syslog-ng 3.2 git repo:
> > > http://git.balabit.hu/?p=algernon/syslog-ng-3.2.git;a=shortlog;h=bz/108/cap_syslog
> > >
> >
> > Gergely,
> >
> > The above syslog-ng 3.2 patch still has problems. In Fedora 15 systems the daemon fails to restart
> > (RPM upgrade) and manually starting it produces the following error:
> > --------
> > syslog-ng: Error parsing capabilities: cap_net_bind_service,cap_net_broadcast,cap_net_raw,\
> > cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p cap_syslog=ep
> > --------
> >
There's something broken on Fedora, I believe. Including <sys/capability.h> results in CAP_SYSLOG being defined, the kernel knows it too, so
g_process_check_cap_syslog() will return TRUE, and we assume that libcap knows about the capability aswell (since sys/capability.h belongs to libcap-devel).
But it doesn't. Fedora seems to have libcap 2.17, while CAP_SYSLOG was introduced in 2.20. And there's a discrepancy between the headers (which suggest
CAP_SYSLOG is supported) and libcap. I can modify the patch to fall back to cap_sys_admin=ep in case libcap does not support cap_syslog, but then we'd get the
kernel warning again.
The proper course of action would be to fix Fedora: either by upgrading libcap, or fixing the headers to not define CAP_SYSLOG (but then we're back to kernel
warnings...).
In any case, in an up-to-date environment, where both the kernel and libcap support cap_syslog, my backport works. But if libcap doesn't support it, there's
nothing syslog-ng can do.
To reiterate: the patch can handle the case where syslog-ng is compiled against a libcap that has cap_syslog, and ran on a kernel that doesn't, it can properly
fall back to cap_sys_admin if libcap doesn't support it (and it doesn't lie), even if the kernel does. But it can't possibly handle the case where
sys/capability.h tells us it's supported, the kernel knows about it, but the libcap library doesn't.
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list