> During 2.6.38 development CAP_SYSLOG has been introduced to perform syslog
> operations, older CAP_SYS_ADMIN is not sufficient anymore.
> [..]
> operations, older CAP_SYS_ADMIN is not sufficient anymore.
> [..]
Gergely Nagy wrote:
It's a known issue, but no suitable solution (that doesn't break in
interesting ways under pressure) has been found yet.
Since CAP_SYSLOG breaks userspace, I'm hoping that this will be reverted
before the 2.6.38 release. Though, looking at recent lkml traffic, I'll
have to Cc a few more people regarding the issue.
Hope they"ll come up with the fix.
For me worked the following one. No-brainer, just to make it work.
This is obviously wrong, since brakes portability.
---
diff --git a/modules/affile/affile.c b/modules/affile/affile.c
index e145324..3269c1c 100644
--- a/modules/affile/affile.c
+++ b/modules/affile/affile.c
@@ -60,6 +60,7 @@ affile_open_file(gchar *name, gint flags,
{
g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
+ g_process_cap_modify(CAP_SYSLOG, TRUE);
}
else
{
diff --git a/syslog-ng/main.c b/syslog-ng/main.c
index 9880c1f..6904e6b 100644
--- a/syslog-ng/main.c
+++ b/syslog-ng/main.c
@@ -378,9 +378,11 @@ main(int argc, char *argv[])
/* NOTE: polling /proc/kmsg requires cap_sys_admin, otherwise it'll always
* indicate readability. Enabling/disabling cap_sys_admin on every poll
* invocation seems to be too expensive. So I enable it for now. */
-
+
+ /* NOTE: Since commit 38ef4c2e437d11b5922723504b62824e96761459 syslog
+ * operations require new CAP_SYSLOG capability, not CAP_SYS_ADMIN. */
g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
- "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
+ "cap_dac_read_search,cap_dac_override,cap_chown,cap_syslog,cap_fowner=p "
"cap_sys_admin=ep");
ctx = g_option_context_new("syslog-ng");
g_process_add_option_group(ctx);
No comments:
Post a Comment