[syslog-ng] Bug report: syslog-ng requests too many capabilities

Tue Apr 24 14:14:04 UTC 2018

Hi!

A short update on the progress of this report:

>>>>> "Gabor" == Nagy, Gábor <gabor.nagy at balabit.com> writes:

   >> In my opinion, there are 2 bugs in syslog-ng:
    >> * if I tell a daemon to run as unprivileged user I do not expect it to
    >> write files as user root. What syslog-ng is doing basically is faking
    >> being an unprivileged user, while retaining capabilities which are
    >> equivalent to full root permissions.
    >> Syslog-ng should imho either run as root, with capabilities;
    >> OR as unprivileged user without capabilities (except those
    >> explicitly given in --caps)
    >> * syslog-ng drops to the capabilities it gets told in --caps,
    >> but later g_process_cap_modify() ignores what was specified.

    Gabor> 1. creating files as root:
    Gabor> I can confirm that files are created with root even if --user or
    Gabor> --group is used.
    Gabor> Although we call setuid() in gprocess at startup, during file opening
    Gabor> we use file permissions explicitly from the global config, which
    Gabor> defaults to root.
    Gabor> I think this is a bug too and we should solve it.

I have opened issue #2002[1], lest we forget about it.

 [1]: https://github.com/balabit/syslog-ng/issues/2002

    Gabor> 2. syslog-ng drops capabilities
    Gabor> Syslog-ng sets capabilities given with options --caps at startup.
    Gabor> I think the issue here is that some capabilities are hard-wired into
    Gabor> syslog-ng (as you have found calls of
    Gabor> g_process_cap_modify()).

The capabilities set with `--caps` are the ones syslog-ng is allowed to
obtain during its runtime. It will drop *all* capabilities first, and
only take up selected ones when needed, to minimize the possible attack
vectors. There may be cases where we try to pick up capabilities when we
wouldn't need to (and that's a bug), or if we try to obtain too broad
capabilities (also a bug), but dropping all capabilities and only
picking up selected ones on demand is a consciously implemented feature.

Unless we want to run with elevated capabilities all the time (which
would be no different from running as root), we need to have a set of
capabilites we can obtain and then drop, on demand. We may need to
document the required capabilities and how the whole feature works,
better.

-- 
|8]