Tuesday, February 1, 2011

syslog-ng CAP_SYSLOG support

I've contacted syslong-ng developers on CAP_SYSLOG capability in 2.6.38.

> During 2.6.38 development CAP_SYSLOG has been introduced to perform syslog
> operations, older CAP_SYS_ADMIN is not sufficient anymore.
> [..]

Gergely Nagy wrote:
It's a known issue, but no suitable solution (that doesn't break in
interesting ways under pressure) has been found yet.

Since CAP_SYSLOG breaks userspace, I'm hoping that this will be reverted
before the 2.6.38 release. Though, looking at recent lkml traffic, I'll
have to Cc a few more people regarding the issue.

Hope they"ll come up with the fix.

For me worked the following one. No-brainer, just to make it work.
This is obviously wrong, since brakes portability.


diff --git a/modules/affile/affile.c b/modules/affile/affile.c
index e145324..3269c1c 100644
--- a/modules/affile/affile.c
+++ b/modules/affile/affile.c
@@ -60,6 +60,7 @@ affile_open_file(gchar *name, gint flags,
       g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
       g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
+      g_process_cap_modify(CAP_SYSLOG, TRUE);
diff --git a/syslog-ng/main.c b/syslog-ng/main.c
index 9880c1f..6904e6b 100644
--- a/syslog-ng/main.c
+++ b/syslog-ng/main.c
@@ -378,9 +378,11 @@ main(int argc, char *argv[])
   /* NOTE: polling /proc/kmsg requires cap_sys_admin, otherwise it'll always
    * indicate readability. Enabling/disabling cap_sys_admin on every poll
    * invocation seems to be too expensive. So I enable it for now. */

+  /* NOTE: Since commit 38ef4c2e437d11b5922723504b62824e96761459 syslog
+   * operations require new CAP_SYSLOG capability, not CAP_SYS_ADMIN. */
-                     "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
+                     "cap_dac_read_search,cap_dac_override,cap_chown,cap_syslog,cap_fowner=p "
   ctx = g_option_context_new("syslog-ng");

No comments:

Post a Comment