[syslog-ng] Bug report: syslog-ng requests too many capabilities
balazs.scheidler at balabit.com
Wed Apr 18 13:49:16 UTC 2018
Also, you can tell it not to manage capabilities with the --no-caps command
On Wed, Apr 18, 2018 at 3:18 PM, Gergely Nagy <algernon at balabit.com> wrote:
> >>>>> "Russenberger" == Russenberger Dominik <dominik.russenberger@
> terreactive.ch> writes:
> Russenberger> Hi List,
> Russenberger> I recently noticed something very strange: although I
> run syslog-ng as
> Russenberger> an unprivileged user (with -u log -g log), newly created
> logfiles were
> Russenberger> owned by root. syslog-ng shows up running as user log in
> ps, as expected.
> Russenberger> In my opinion, there are 2 bugs in syslog-ng:
> Russenberger> * if I tell a daemon to run as unprivileged user I do
> not expect it to
> Russenberger> write files as user root. What syslog-ng is doing
> basically is faking
> Russenberger> being an unprivileged user, while retaining capabilities
> which are
> Russenberger> equivalent to full root permissions.
> Russenberger> Syslog-ng should imho either run as root, with
> Russenberger> OR as unprivileged user without capabilities (except
> Russenberger> explicitly given in --caps)
> Russenberger> * syslog-ng drops to the capabilities it gets told in
> Russenberger> but later g_process_cap_modify() ignores what was
> While I agree about your conclusion that syslog-ng should not use more
> capabilities than it is told - or what it needs to -, I'd like to shed
> some light on why it tries to raise its capabilities despite you telling
> it to run with less.
> The reason is actually pretty simple: syslog-ng supports the `owner()`
> and `group()` options for some destinations, so that it can create
> output files as a different user than syslog-ng is running under. For
> this reason, whenever creating such files, it first tries to raise its
> capabilities, just to make sure it can create them. We currently do not
> keep track of whether this is required or not, we try to raise anyway.
> We should probably change that, and only raise capabilities if we really
> need to. This should solve the issue you are seeing.
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the syslog-ng