From a82911e862423c161e717aaccb6419f3e0b638a6 Mon Sep 17 00:00:00 2001 From: Gergely Nagy Date: Wed, 19 Jan 2011 21:58:22 +0100 Subject: [PATCH] affile: Try CAP_SYSLOG before CAP_SYS_ADMIN. In the 2.6.38 kernel - and later - one needs CAP_SYSLOG to read /proc/kmsg, CAP_SYS_ADMIN does not grant enough permissions anymore. To remedy that, try CAP_SYSLOG first, and if that fails, fall back to CAP_SYS_ADMIN. This does not seem to have any ill effects on 2.6.32, however it hasn't been tested on 2.6.38. Signed-off-by: Gergely Nagy --- lib/gprocess.h | 4 ++++ modules/affile/affile.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletions(-) diff --git a/lib/gprocess.h b/lib/gprocess.h index cda35b0..6f080f2 100644 --- a/lib/gprocess.h +++ b/lib/gprocess.h @@ -31,6 +31,10 @@ #if ENABLE_LINUX_CAPS # include +# +# ifndef CAP_SYSLOG +# define CAP_SYSLOG 34 +# endif #endif typedef enum diff --git a/modules/affile/affile.c b/modules/affile/affile.c index 6eb6b59..a567385 100644 --- a/modules/affile/affile.c +++ b/modules/affile/affile.c @@ -59,7 +59,8 @@ affile_open_file(gchar *name, gint flags, if (privileged) { g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE); - g_process_cap_modify(CAP_SYS_ADMIN, TRUE); + if (!g_process_cap_modify(CAP_SYSLOG, TRUE)) + g_process_cap_modify(CAP_SYS_ADMIN, TRUE); } else { --- a/syslog-ng/main.c +++ b/syslog-ng/main.c @@ -381,7 +381,7 @@ g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw," "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p " - "cap_sys_admin=ep"); + "cap_syslog=p"); ctx = g_option_context_new("syslog-ng"); g_process_add_option_group(ctx); msg_add_option_group(ctx); -- 1.7.2.3