Currently syslog-ng runs as root. IMO, this is bad since as few programs as possible should run as root. I recently tried creating a non-root user and group ('syslog:syslog') and running syslog-ng as that user by the syslog-ng command line arguments of '-u' and '-g'. I also changed permissions of relevant directories and folders in /var/log and I can report that after a day everything is still running fine. There do not seem to be any performance hits or instabilities. The one thing I have not tested is how it performs under heavy load, since my server gets very light usage. I'll be willing to make the few needed modifications to the ebuild script, init script, and syslog-ng.conf file if there is support for this. Reproducible: Always Steps to Reproduce: 1. 2. 3.
needs to be root to read /proc/kmsg
I'd be willing to see your proposed mods to the init scripts, etc. The goal should be to make it possible to do, but not as the default. Ie. support for /etc/config.d/syslog-ng so the -u and -g options could be passed to syslog-ng without modifying the init script directly. The current behavior will remain the default though since it's most useful for the majority of users unless you can convince me otherwise.
OK, sounds good. Having this feature as a USE flag option makes sense. I'll work on it, and post something here in a couple of weeks. Thanks.
I'm going to mark this LATER so it doesn't appear on my bug list for now. Go ahead and reopen when you have something for me to look at. Thanks.
Created attachment 176618 [details, diff] Patch to ebuild to allow dropping of root privileges Since I wanted something of the sort anyway, I went and made the necessary changes to the ebuild to be able to install syslog-ng so that it may run without root privileges by using the USE flag "droproot". 1. adds syslog user and group 2. starts syslog-ng with "-u syslog -g syslog", using a modified config file to write logs to /var/log/syslog/ (o:syslog/g:syslog) and not read /proc/kmsg 3. starts a second syslog-ng process (syslog-ng-kmsg rc file) which has root privileges, but simply reads /proc/kmsg and writes to /dev/log 4. installs a udev rules file which enables syslog-ng in unprivileged mode to write to tty12 and console While there is still a syslog-ng process running as root, it does not process user input or files; this makes using network logging reasonably safe as well, it just requires use of an unprivileged port. If the USE flag is not specified, the install is mostly unchanged, except for an express PID file specification in the syslog-ng rc file (to differentiate the main and kmsg processes).
Just to add me to CC...
I would suggest to create a named pipe and use dd to copy /proc/kmsg to this pipe where syslog can read without the need to run as root... So syslog runs as user syslog, group syslog. The pipe (e.g. /var/run/kmsg) is owned by root.syslog. "dd bc=1 if=/proc/kmsg of=/var/run/kmsg" could be started from inside the init.d script. Configfile of syslog has to be changed from "file(/proc/kmsg);" to "pipe(/var/run/kmsg);" Hope you consider this.
I'm also very supportive of this idea, log daemons aren't supposed to be the attack proofed pieces of software and on some installations you have them exposed to the internet for network logging. Nowadays, a problem running syslog without root got a bit more complicated because syslog-ng now wants /var/run/syslog-ng.ctl socket for write. I propose to move this socket along with pid file into a subdirectory with syslog user write permission.
Also, I think this bug is worth reopening as gentoo handbook specifically mentions syslog-ng as a log server that is capable of working in non-root mode.
