[syslog-ng] [PATCH] Use CAP_SYSLOG instead of CAP_SYS_ADMIN, if available.
Balazs Scheidler
bazsi at balabit.hu
Thu May 12 13:14:40 CEST 2011
On Sun, 2011-05-08 at 12:26 +0200, Gergely Nagy wrote:
> If cap_syslog exists, the kernel will complain (once) that we only
> have cap_sys_admin. Additionally, using cap_syslog instead of
> cap_sys_admin significantly lowers the unneeded privs we are
> using.
>
> Upon startup, syslog-ng will detect whether CAP_SYSLOG is available,
> and use capabilities based on that finding. This detection will also
> have a side-effect, which will make it so that
> g_process_cap_modify(CAP_SYSLOG) will fall back to CAP_SYS_ADMIN, if
> CAP_SYSLOG support was not detected.
>
> Thanks to Andrew Morgan for pointing out a nice way to detect whether
> the kernel has CAP_SYSLOG. Original code by Serge Hallyn, with minor
> changes based on Balazs Scheidler's review by Gergely Nagy.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> Signed-off-by: Gergely Nagy <algernon at balabit.hu>
> ---
Applied with cosmetic changes (moved the function into the
ENABLE_LINUX_CAPS block, the invocation of setup_caps() was changed a
bit, so setup_caps() will call g_process_have_cap_syslog() on its own).
Thanks
--
Bazsi
More information about the syslog-ng
mailing list