[syslog-ng] [Bug 210] syslog-ng drops its capabilities before reading the config files

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Sat Oct 27 15:27:41 CEST 2012


Gergely Nagy <algernon at balabit.hu> changed:

           What    |Removed                     |Added
         Resolution|                            |INVALID
             Status|ASSIGNED                    |RESOLVED

--- Comment #1 from Gergely Nagy <algernon at balabit.hu>  2012-10-27 15:27:42 ---
Right. I have a fix for this, but I'm not sure that we want it.

What happens now, is that syslog-ng drops a lot of capabilities as soon as it starts, and that is good - the less privileges, the better. However, this means
that root no longer bypasses the file/directory owner checks: if something is not readable by either root's uid/gid, or by other, syslog-ng won't be able to
read it. While this behaviour is kind of suprising, it does prevent ordinary users being able to mess with the syslog-ng configuration, and that is a good

We can easily make syslog-ng grab CAP_DAC_READ_SEARCH when reading its config file, but that kills this safety belt, and that's not something I'm comfortable

However, there's a workaround, that allows us to workaround the limitation: run syslog-ng either with capabilities disabled, or with
--caps="cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override,cap_chown,cap_fowner=p cap_dac_read_search,cap_syslog=ep"

(For some older kernels, you'll want cap_sys_admin=ep instead of cap_syslog=ep)

Therefore, I'm marking this as resolved, because the current way - now that #209 is fixed, and the problem can be debugged - is the desired default operation,
but there are possibilities to change the behaviour.

Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list