> I ran syslog-ng as a non-root user once before, but now I run it as
> root. From what I can remember, syslog-ng opened /proc/kmsg before
> dropping privileges, however when you sent the HUP signal (i.e. after
> running logrotate) it closed all the files and reopened them again.
> Because it no longer had root permissions, it couldn't
> reopen /proc/kmsg.
This looks like a design problem.
> If /proc/kmsg was group readable and the group was set to a special
> logger group, then I don't see why syslog-ng couldn't be run as a
> non-root user.
Yes.
Searching for more info I saw that syslog-ng is able to chroot it self.
But the problem is the same when you want him to re-read its configuration file by sending the SIGHUP signal...
Les informations contenues dans ce message électronique peuvent être de nature confidentielle et soumises à une obligation de secret. Elles sont destinées à l'usage exclusif du réel destinataire. Si vous n'êtes pas le réel destinataire ou si vous recevez ce message par erreur, merci de nous le notifier immédiatement en le retournant à l'adresse de son émetteur.
The information contained in this e-mail may be privileged and confidential. It is intended for the exclusive use of the designated recipients named above. If you are not the intended recipient or if you receive this e-mail in error, please notify us immediatly and return the original message at the address of the sender.
--
gentoo-security@gentoo.org mailing list
> root. From what I can remember, syslog-ng opened /proc/kmsg before
> dropping privileges, however when you sent the HUP signal (i.e. after
> running logrotate) it closed all the files and reopened them again.
> Because it no longer had root permissions, it couldn't
> reopen /proc/kmsg.
This looks like a design problem.
> If /proc/kmsg was group readable and the group was set to a special
> logger group, then I don't see why syslog-ng couldn't be run as a
> non-root user.
Yes.
Searching for more info I saw that syslog-ng is able to chroot it self.
But the problem is the same when you want him to re-read its configuration file by sending the SIGHUP signal...
Les informations contenues dans ce message électronique peuvent être de nature confidentielle et soumises à une obligation de secret. Elles sont destinées à l'usage exclusif du réel destinataire. Si vous n'êtes pas le réel destinataire ou si vous recevez ce message par erreur, merci de nous le notifier immédiatement en le retournant à l'adresse de son émetteur.
The information contained in this e-mail may be privileged and confidential. It is intended for the exclusive use of the designated recipients named above. If you are not the intended recipient or if you receive this e-mail in error, please notify us immediatly and return the original message at the address of the sender.
--
gentoo-security@gentoo.org mailing list