I´m using a simple workaround for some time now. In addition to the normal rsyslog instance I run a second one. The "main" rsyslog doesn´t fetch kernel messages anymore and therefore can drop its root privileges. But it´s now listening on localhost for them.
$ModLoad imudp $UDPServerAddress 127.0.0.1 $UDPServerRun 514 $AllowedSender UDP, 127.0.0.1 The second instance runs as root and has only a minimum configuration to forward kernel messages to the "main" instance. So it is not reachable from the local network and opens no unix socket(?). $ModLoad imklog *.* @127.0.0.1:514 /usr/sbin/rsyslogd -c5 -f /etc/rsyslog.conf.root \ -i /var/run/klogd-emu.pid It´s started after the "main" instance by adding it to /etc/init.d/rsyslogd and stopped by init on shutdown/reboot with SIGTERM. I expect this to be safer on a (exposed) server. Although this requires some additional resources (cpu power and main memory), I guess it should be negligible today :) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
