Bug#1128924: marked as done (rsyslog: Capabilities need CAP_SETGID/_UID to allow $PrivDropToGroup/User)

Wed, 11 Mar 2026 09:15:22 -0700 

Your message dated Wed, 11 Mar 2026 17:12:38 +0100
with message-id <[email protected]>
and subject line Re: Bug#1128924: rsyslog: Capabilities need CAP_SETGID/_UID to 
allow $PrivDropToGroup/User
has caused the Debian Bug report #1128924,
regarding rsyslog: Capabilities need CAP_SETGID/_UID to allow 
$PrivDropToGroup/User
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1128924: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128924
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: rsyslog
Version: 8.2504.0-1
Severity: normal

Dear Maintainer,

Coming from Debian 12 we used an old configuration with the following
lines:

$PrivDropToUser syslog
$PrivDropToGroup syslog

These are a simple security enhancement that removes any special
privileges from the daemon after startup.

When upgrading to Debian 13, rsyslog would no longer start. It was
unclear from the systemctl status or journalctl what happened.

After some testing and commenting out the above lines it was determined
that these lines are related to the problem.

Running the rsyslog daemon in the foreground and debug mode on ran normally,
which led to suspicions regarding the systemd unit file.

The unit file for Debian 13 introduced some security enhancement including
CapabilityBoundingSet and a list of capabilities. But missing from this list
are the CAP_SETUID and CAP_SETGID which would be required for the dropping
of privileges.

As a final test, a systemd override was placed in
/etc/systemd/system/rsyslog.service.d/allow-priv-drop.conf
with the following contents:

[Service]
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_DAC_OVERRIDE CAP_LEASE 
CAP_NET_ADMIN CAP_NET_BIND_ERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYSLOG 
CAP_SETGID CAP_SETUID

(same list as the normal unit file plus CAP_SETUID and CAP_SETUID added).

After

systemctl daemon-reload

the service would run as expected.

The question is if there is more of a security benefit by reducing the 
capabilities
or by dropping all root privileges via the rsyslog configuration. I think the 
latter,
but obviously for users who do not use this directive, there is a benefit to 
reduce
the overall list of capabilities.

The override is a manageable workaround, but the behaviour (a crash with no 
context)
should probably be addressed as it would confuse users.


-- System Information:
Debian Release: 13.3
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.63+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages rsyslog depends on:
ii  libc6         2.41-12+deb13u1
ii  libestr0      0.1.11-2
ii  libfastjson4  1.2304.0-2
ii  liblognorm5   2.0.6-5
ii  libsystemd0   257.9-1~deb13u1
ii  libuuid1      2.41-5
ii  libzstd1      1.5.7+dfsg-1
ii  zlib1g        1:1.3.dfsg+really1.3.1-1+b1

Versions of packages rsyslog recommends:
ii  logrotate  3.22.0-1

Versions of packages rsyslog suggests:
pn  rsyslog-clickhouse                <none>
pn  rsyslog-doc                       <none>
pn  rsyslog-docker                    <none>
pn  rsyslog-elasticsearch             <none>
pn  rsyslog-gssapi                    <none>
pn  rsyslog-hiredis                   <none>
pn  rsyslog-kafka                     <none>
pn  rsyslog-kubernetes                <none>
pn  rsyslog-mongodb                   <none>
pn  rsyslog-mysql | rsyslog-pgsql     <none>
pn  rsyslog-openssl | rsyslog-gnutls  <none>
pn  rsyslog-relp                      <none>
pn  rsyslog-snmp                      <none>

-- Configuration Files:
/etc/rsyslog.conf changed [not included]

-- no debconf information
dennisvd@stremsel~ 16:45 10$

--- End Message ---
--- Begin Message --- 
Am 10.03.26 um 21:57 schrieb Dennis van Dok:

Op 10-03-2026 om 14:07 schreef Michael Biebl:
I'm open to adding a new section to README.Debian. Would you mind providing some text I could add there or even better, submitting a PR via [1]? 

Done. I think it is ok to close the bug now.

Thanks,

Dennis


https://salsa.debian.org/debian/rsyslog/-/merge_requests/12
I've applied this MR, so closing the bug report. Thanks for your contribution. 

Michael

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


--- End Message ---

Reply via email to