Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 544766

Summary: app-admin/syslog-ng: add USE filecaps and run with minimal privileges by default
Product: Gentoo Linux Reporter: Nikoli <nikoli>
Component: Current packagesAssignee: Tomáš Mózes <hydrapolic>
Status: RESOLVED WONTFIX    
Severity: enhancement CC: hydrapolic, kfm, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/balabit/syslog-ng/issues/437
See Also: https://github.com/gentoo/gentoo/pull/7323
https://github.com/gentoo/gentoo/pull/7436
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: patch
ebuild
init.d
syslog-ng-3.14.1-r1.ebuild with USE="filecaps" support
syslog-ng-3.14.1-r1.ebuild with USE="filecaps" support

Description Nikoli 2015-03-28 16:01:46 UTC
Created attachment 399956 [details, diff]
patch

I tried running syslog-ng as non root user and use minimal set of Linux file capabilities: it works fine for me in several systems. Please change defaults to more secure.

For testing attached patch run:
USE='filecaps -caps' emerge app-admin/syslog-ng
Comment 1 Nikoli 2015-03-28 16:02:23 UTC
Created attachment 399958 [details]
ebuild
Comment 2 Nikoli 2015-03-28 16:03:17 UTC
Created attachment 399960 [details]
init.d

Also attached ebuild and init.d scripts in case patch will not work fine for you.
Comment 3 Nils Freydank 2018-03-01 14:36:58 UTC
I opened a bump request via github, including a fix of the openrc daemon file.

USE="caps" works now as intended, and I think caps is superior to filecaps,
and the main intent of this bug was to run syslog-ng as a user instead of root.

@Nikoli, could you please give short feedback if the *fixed* USE="caps" ebuild solves this bug sufficiently?
Comment 4 Tomáš Mózes 2018-03-07 11:33:56 UTC
What is the difference between running syslog-ng as regular user with fcaps/caps vs running as root with caps? Are there any gains in terms of security?
Comment 5 Nils Freydank 2018-03-12 17:01:53 UTC
(In reply to Tomáš Mózes from comment #4)
> What is the difference between running syslog-ng as regular user with
> fcaps/caps vs running as root with caps? Are there any gains in terms of
> security?

Actually, a pretty clear maybe: You can run syslog entirely as a user with filecaps, but with the needed filecaps and appropriate rights for the binary of course (see the linked PR on github.com).
Comment 6 Nils Freydank 2018-03-15 20:19:57 UTC
(In reply to Nils Freydank from comment #5)
> (In reply to Tomáš Mózes from comment #4)
> > What is the difference between running syslog-ng as regular user with
> > fcaps/caps vs running as root with caps? Are there any gains in terms of
> > security?
> 
> Actually, a pretty clear maybe: You can run syslog entirely as a user with
> filecaps, but with the needed filecaps and appropriate rights for the binary
> of course (see the linked PR on github.com).

I was wrong here: root with USE="caps" should be preferred. This way syslog-ng will be started as root, but privileges can and will be dropped. The correct
behaviour can be monitored with pscap from sys-libs/libcap-ng.

USE="filecaps" might suggest syslog-ng would run as an unprivileged user while it actually could gain root-like privileges, so in the end "caps" should be preferred over "filecaps".

We actually wanted to still support filecaps, but as the fcaps eclass enforces the active USE flag it’s better to drop the idea, paste the working ebuild only here and close this bug as WONTFIX.
Comment 7 Nils Freydank 2018-03-15 20:21:20 UTC
Created attachment 524078 [details]
syslog-ng-3.14.1-r1.ebuild with USE="filecaps" support
Comment 8 Nils Freydank 2018-03-15 20:22:39 UTC
Created attachment 524080 [details]
syslog-ng-3.14.1-r1.ebuild with USE="filecaps" support

Sorry, wrong file.
Comment 9 Tomáš Mózes 2018-03-30 05:09:41 UTC
According to the comments by the security folks it seems like this is not improving security, so we'll close this for now.