[syslog-ng] [Bug 108] 2.6.38+ will require CAP_SYSLOG (CAP_SYS_ADMIN not enough)

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Sat Sep 10 20:13:44 CEST 2011


https://bugzilla.balabit.com/show_bug.cgi?id=108





--- Comment #32 from Gergely Nagy <algernon at balabit.hu>  2011-09-10 20:13:44 ---
> We finally managed to get libcap updated to version 2.22 in Fedora 15 (actually for every Fedora version >= 14)
> but I'm still seeing the same problem that I reported in comment #22.
> 
> Could you give it another look?

Sorry for the long response time, I only just managed to get back to this issue. I'm now running a 3.0.0 kernel, with CAP_SYSLOG and all that, and I can't
reproduce the problem. If I downgrade my kernel, that's still detected correctly, and syslog-ng falls back to CAP_SYS_ADMIN.

I'll see if I can try again on a Fedora system sometime soon, but can't promise anything, I'm afraid.

(In reply to comment #31)
> One small note.
> 
> ret = prctl(PR_CAPBSET_READ, CAP_SYSLOG);
> 
> approach for detection will fail on vserver patched kernel. vserver patch (for 2.6.35 as example) used
> the same capability number as CAP_SYSLOG uses now thus test above will think
> CAP_SYSLOG is available while in reality some vserver CAP was tested.
> 
> PLD uses this additional patch as workaround:
> http://cvs.pld-linux.org/cgi-bin/cvsweb/packages/syslog-ng/cap_syslog-vserver-workaround.patch?rev=1.1

Version sniffing is something I hate, with a passion. I'd rather teach the init script (if possible) to detect vserver, and either disable capabilities, or
override the caps on the command line. I'm not quite sure if that'd work, but I'd rather make capability overrides from the commandline work properly, than use
version sniffing.

One issue with version sniffing is, that if the kernel begins to use a two part version (which as far as I understand, is still something they want to do), the
parsing will fail, and syslog-ng will end up trying to use CAP_SYS_ADMIN and trigger the kernel warning.


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the syslog-ng mailing list