Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 399956 Details for
Bug 544766
app-admin/syslog-ng: add USE filecaps and run with minimal privileges by default
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
syslog-ng.filecaps.patch (text/plain), 5.88 KB, created by
Nikoli
on 2015-03-28 16:01:46 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Nikoli
Created:
2015-03-28 16:01:46 UTC
Size:
5.88 KB
patch
obsolete
>diff --git a/app-admin/syslog-ng/files/3.6/syslog-ng.rc6 b/app-admin/syslog-ng/files/3.6/syslog-ng.rc6 >old mode 100644 >new mode 100755 >index 8242c2b..deb551f >--- a/app-admin/syslog-ng/files/3.6/syslog-ng.rc6 >+++ b/app-admin/syslog-ng/files/3.6/syslog-ng.rc6 >@@ -1,19 +1,20 @@ > #!/sbin/runscript >-# Copyright 1999-2014 Gentoo Foundation >+# Copyright 1999-2015 Gentoo Foundation > # Distributed under the terms of the GNU General Public License v2 > # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/3.6/syslog-ng.rc6,v 1.2 2014/12/18 19:51:36 mr_bones_ Exp $ > > SYSLOG_NG_CONFIGFILE=${SYSLOG_NG_CONFIGFILE:-/etc/syslog-ng/${RC_SVCNAME}.conf} >-SYSLOG_NG_STATEFILE_DIR=${SYSLOG_NG_STATEFILE_DIR:-/var/lib/syslog-ng} >-SYSLOG_NG_STATEFILE=${SYSLOG_NG_STATEFILE:-${SYSLOG_NG_STATEFILE_DIR}/syslog-ng.persist} >-SYSLOG_NG_PIDFILE_DIR=${SYSLOG_NG_PIDFILE_DIR:-/run} >+SYSLOG_NG_STATEFILE_DIR=${SYSLOG_NG_STATEFILE_DIR:-/var/lib/${RC_SVCNAME}} >+SYSLOG_NG_STATEFILE=${SYSLOG_NG_STATEFILE:-${SYSLOG_NG_STATEFILE_DIR}/${RC_SVCNAME}.persist} >+SYSLOG_NG_PIDFILE_DIR=${SYSLOG_NG_PIDFILE_DIR:-/var/run/${RC_SVCNAME}} > SYSLOG_NG_PIDFILE=${SYSLOG_NG_PIDFILE:-${SYSLOG_NG_PIDFILE_DIR}/${RC_SVCNAME}.pid} >+SYSLOG_NG_CONTROLFILE=${SYSLOG_NG_CONTROLFILE:-${SYSLOG_NG_PIDFILE_DIR}/${RC_SVCNAME}.ctl} > >-SYSLOG_NG_GROUP=${SYSLOG_NG_GROUP:-root} >-SYSLOG_NG_USER=${SYSLOG_NG_USER:-root} >+SYSLOG_NG_GROUP=${SYSLOG_NG_GROUP:-${RC_SVCNAME}} >+SYSLOG_NG_USER=${SYSLOG_NG_USER:-${RC_SVCNAME}} > > command="/usr/sbin/syslog-ng" >-command_args="--persist-file \"${SYSLOG_NG_STATEFILE}\" --cfgfile \"${SYSLOG_NG_CONFIGFILE}\" --pidfile \"${SYSLOG_NG_PIDFILE}\" ${SYSLOG_NG_OPTS}" >+command_args="--persist-file \"${SYSLOG_NG_STATEFILE}\" --cfgfile \"${SYSLOG_NG_CONFIGFILE}\" --control \"${SYSLOG_NG_CONTROLFILE}\" --pidfile \"${SYSLOG_NG_PIDFILE}\" ${SYSLOG_NG_OPTS}" > extra_commands="checkconfig" > extra_started_commands="reload" > pidfile="${SYSLOG_NG_PIDFILE}" >@@ -22,7 +23,6 @@ description="Syslog-ng is a syslog replacement with advanced filtering features. > description_checkconfig="Check the configuration file that will be used by \"start\"" > description_reload="Reload the configuration without exiting" > required_files="${SYSLOG_NG_CONFIGFILE}" >-required_dirs="${SYSLOG_NG_PIDFILE_DIR}" > > depend() { > use clock >@@ -42,8 +42,9 @@ start_pre() { > checkpath \ > -d \ > --mode 0700 \ >- --owner "${SYSLOG_NG_OWNER}:${SYSLOG_NG_GROUP}" \ >- "${SYSLOG_NG_STATEFILE_DIR}" >+ --owner "${SYSLOG_NG_USER}:${SYSLOG_NG_GROUP}" \ >+ "${SYSLOG_NG_STATEFILE_DIR}" \ >+ "${SYSLOG_NG_PIDFILE_DIR}" > } > > stop_pre() { >diff --git a/app-admin/syslog-ng/metadata.xml b/app-admin/syslog-ng/metadata.xml >index db015d1..f37ae13 100644 >--- a/app-admin/syslog-ng/metadata.xml >+++ b/app-admin/syslog-ng/metadata.xml >@@ -8,6 +8,7 @@ > <use> > <flag name='amqp'>Enable support for AMQP destinations</flag> > <flag name='smtp'>Enable support for SMTP destinations</flag> >+ <flag name='extra-caps'>Permit more Linux capabilities</flag> > <flag name='spoof-source'>Enable support for spoofed source addresses</flag> > <flag name='json'>Enable support for JSON template formatting via <pkg>dev-libs/json-c</pkg></flag> > <flag name='mongodb'>Enable support for mongodb destinations</flag> >diff --git a/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild b/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild >index aea6cb4..2ed0ad1 100644 >--- a/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild >+++ b/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild >@@ -3,7 +3,7 @@ > # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild,v 1.7 2015/03/25 14:01:18 ago Exp $ > > EAPI=5 >-inherit eutils multilib systemd versionator >+inherit eutils fcaps user multilib systemd versionator > > MY_PV=${PV/_/} > MY_PV_MM=$(get_version_component_range 1-2) >@@ -14,7 +14,8 @@ SRC_URI="http://www.balabit.com/downloads/files/syslog-ng/sources/${MY_PV}/sourc > LICENSE="GPL-2+ LGPL-2.1+" > SLOT="0" > KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~x86-fbsd" >-IUSE="amqp caps dbi geoip ipv6 json mongodb pacct redis smtp spoof-source ssl systemd tcpd" >+IUSE="amqp caps dbi extra-caps geoip ipv6 json mongodb pacct redis smtp spoof-source ssl systemd tcpd" >+REQUIRED_USE="extra-caps? ( filecaps )" > RESTRICT="test" > > RDEPEND=" >@@ -37,6 +38,13 @@ DEPEND="${RDEPEND} > > S=${WORKDIR}/${PN}-${MY_PV} > >+pkg_setup() { >+ if use caps; then >+ ewarn "\"caps\" USE flag is only useful for limiting privileges when running syslog-ng as root." >+ ewarn "It is suggested to use \"filecaps\" instead and run as syslog-ng user." >+ fi >+} >+ > src_prepare() { > epatch "${FILESDIR}"/${MY_PV_MM}/${P}-redis.patch > cp "${FILESDIR}"/*logrotate*.in "${TMPDIR}" || die >@@ -110,6 +118,28 @@ src_install() { > } > > pkg_postinst() { >+ enewuser syslog-ng >+ >+ # Capabilities, see 'man capabilities 7' for more info: >+ # >+ # 'cap_syslog' is required to read /proc/kmsg, if disabled syslog-ng fails with these errors: >+ # Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)' >+ # Error initializing message pipeline; >+ # >+ # 'cap_dac_override' is required to read /dev/log, if disabled syslog-ng fails with these errors: >+ # Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (98)' >+ # Error initializing message pipeline; >+ # >+ # 'cap_chown' is required to change owners of logs >+ >+ # enable minimal required for standalone logger capabilities >+ logger_caps='cap_chown,cap_dac_override,cap_syslog' >+ # enable all capabilities from syslog-ng/main.c BASE_CAPS >+ use extra-caps && logger_caps+=',cap_chown,cap_dac_read_search,cap_net_bind_service,cap_net_broadcast,cap_net_raw' >+ >+ chown root:syslog-ng "${EROOT}"/usr/sbin/syslog-ng || die >+ fcaps -o root -g syslog-ng -m 4710 -M 0710 "${logger_caps}+ep" /usr/sbin/syslog-ng >+ > elog "For detailed documentation please see the upstream website:" > elog "http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.6-guides/en/syslog-ng-ose-v3.6-guide-admin/html/index.html" >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 544766
: 399956 |
399958
|
399960
|
524078
|
524080