[syslog-ng] [Bug 210] syslog-ng drops its capabilities before reading the config files
bugzilla at bugzilla.balabit.com
bugzilla at bugzilla.balabit.com
Sat Oct 27 15:27:41 CEST 2012
https://bugzilla.balabit.com/show_bug.cgi?id=210
Gergely Nagy <algernon at balabit.hu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution| |INVALID
Status|ASSIGNED |RESOLVED
--- Comment #1 from Gergely Nagy <algernon at balabit.hu> 2012-10-27 15:27:42 ---
Right. I have a fix for this, but I'm not sure that we want it.
What happens now, is that syslog-ng drops a lot of capabilities as soon as it starts, and that is good - the less privileges, the better. However, this means
that root no longer bypasses the file/directory owner checks: if something is not readable by either root's uid/gid, or by other, syslog-ng won't be able to
read it. While this behaviour is kind of suprising, it does prevent ordinary users being able to mess with the syslog-ng configuration, and that is a good
thing.
We can easily make syslog-ng grab CAP_DAC_READ_SEARCH when reading its config file, but that kills this safety belt, and that's not something I'm comfortable
with.
However, there's a workaround, that allows us to workaround the limitation: run syslog-ng either with capabilities disabled, or with
--caps="cap_net_bind_service,cap_net_broadcast,cap_net_raw,cap_dac_override,cap_chown,cap_fowner=p cap_dac_read_search,cap_syslog=ep"
(For some older kernels, you'll want cap_sys_admin=ep instead of cap_syslog=ep)
Therefore, I'm marking this as resolved, because the current way - now that #209 is fixed, and the problem can be debugged - is the desired default operation,
but there are possibilities to change the behaviour.
--
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the syslog-ng
mailing list