Package: rsyslog Version: 8.2504.0-1 Severity: normal
Dear Maintainer, Coming from Debian 12 we used an old configuration with the following lines: $PrivDropToUser syslog $PrivDropToGroup syslog These are a simple security enhancement that removes any special privileges from the daemon after startup. When upgrading to Debian 13, rsyslog would no longer start. It was unclear from the systemctl status or journalctl what happened. After some testing and commenting out the above lines it was determined that these lines are related to the problem. Running the rsyslog daemon in the foreground and debug mode on ran normally, which led to suspicions regarding the systemd unit file. The unit file for Debian 13 introduced some security enhancement including CapabilityBoundingSet and a list of capabilities. But missing from this list are the CAP_SETUID and CAP_SETGID which would be required for the dropping of privileges. As a final test, a systemd override was placed in /etc/systemd/system/rsyslog.service.d/allow-priv-drop.conf with the following contents: [Service] CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_DAC_OVERRIDE CAP_LEASE CAP_NET_ADMIN CAP_NET_BIND_ERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYSLOG CAP_SETGID CAP_SETUID (same list as the normal unit file plus CAP_SETUID and CAP_SETUID added). After systemctl daemon-reload the service would run as expected. The question is if there is more of a security benefit by reducing the capabilities or by dropping all root privileges via the rsyslog configuration. I think the latter, but obviously for users who do not use this directive, there is a benefit to reduce the overall list of capabilities. The override is a manageable workaround, but the behaviour (a crash with no context) should probably be addressed as it would confuse users. -- System Information: Debian Release: 13.3 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.63+deb13-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages rsyslog depends on: ii libc6 2.41-12+deb13u1 ii libestr0 0.1.11-2 ii libfastjson4 1.2304.0-2 ii liblognorm5 2.0.6-5 ii libsystemd0 257.9-1~deb13u1 ii libuuid1 2.41-5 ii libzstd1 1.5.7+dfsg-1 ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1 Versions of packages rsyslog recommends: ii logrotate 3.22.0-1 Versions of packages rsyslog suggests: pn rsyslog-clickhouse <none> pn rsyslog-doc <none> pn rsyslog-docker <none> pn rsyslog-elasticsearch <none> pn rsyslog-gssapi <none> pn rsyslog-hiredis <none> pn rsyslog-kafka <none> pn rsyslog-kubernetes <none> pn rsyslog-mongodb <none> pn rsyslog-mysql | rsyslog-pgsql <none> pn rsyslog-openssl | rsyslog-gnutls <none> pn rsyslog-relp <none> pn rsyslog-snmp <none> -- Configuration Files: /etc/rsyslog.conf changed [not included] -- no debconf information dennisvd@stremsel~ 16:45 10$
