Is there a way to run it as an ordinary user with added CAP_NET_BIND_SERVICE capability on Linux? I tried to play with sucap and execcap, but couldn't figure out the right incantation.
I tried something like: sucap bulb bulb execcap cap_net_bind_service=eip rsyslogd but I was getting: Caps: =ep cap_setpcap-ep sucaps: capsetp: Operation not permitted sucap: child did not exit cleanly. Caps: = Strace just showed that the capset syscall was failing with EPERM. I can't find any decent documentation for those commands. Rainer Gerhards wrote: > Known issue, the full story is here: > > http://wiki.rsyslog.com/index.php/Security > > > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Dražen Kacar > > Sent: Thursday, December 02, 2010 1:48 PM > > To: [email protected] > > Subject: [rsyslog] Can't use PrivDrop with TCP listener > > > > With rsyslog 5.6.2 I tried to use UDP and TCP listeners on port 514 in > > combination with privilege drop. Config file contains: > > > > $PrivDropToUser bulb > > $PrivDropToGroup bulb > > > > $Ruleset indata > > $RulesetCreateMainQueue on > > > > $InputTCPServerBindRuleset indata > > $InputTCPServerRun 514 > > $InputUDPServerBindRuleset indata > > $UDPServerRun 514 > > > > I get this error: > > > > rsyslogd: Could not create tcp listener, ignoring port 514. [try > > http://www.rsyslog.com/e/2077 ] > > > > strace shows: > > > > 28240 socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP) = 4 > > 28240 setsockopt(4, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0 > > 28240 setsockopt(4, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > > 28240 uname({sys="Linux", node="ssm2.nat.myrio.net", ...}) = 0 > > 28240 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) > > 28240 fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > > 28240 bind(4, {sa_family=AF_INET6, sin6_port=htons(514), > > inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, > > sin6_scope_id=0}, 28) = 0 > > > > That was IPv6 UDP socket. > > > > 28240 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 5 > > 28240 setsockopt(5, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > > 28240 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) > > 28240 fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > > 28240 bind(5, {sa_family=AF_INET, sin_port=htons(514), > > sin_addr=inet_addr("0.0.0.0")}, 16) = 0 > > > > That was IPv4 UDP socket. > > > > 28241 setuid(1004) = 0 > > 28241 futex(0x40bded1c, FUTEX_WAKE_PRIVATE, 1) = 0 > > 28241 futex(0x7fffc9f38600, FUTEX_WAKE_PRIVATE, 1 <unfinished ...> > > 28240 <... futex resumed> ) = 0 > > 28240 setuid(1004) = 0 > > > > That was privilege drop. > > > > 28243 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9 > > 28243 setsockopt(9, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0 > > 28243 setsockopt(9, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > > 28243 fcntl(9, F_GETFL) = 0x2 (flags O_RDWR) > > 28243 fcntl(9, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > > 28243 bind(9, {sa_family=AF_INET6, sin6_port=htons(514), > > inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, > > sin6_scope_id=0}, 28) = -1 EACCES (Permission denied) > > 28243 close(9) = 0 > > 28243 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 9 > > 28243 setsockopt(9, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > > 28243 fcntl(9, F_GETFL) = 0x2 (flags O_RDWR) > > 28243 fcntl(9, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > > 28243 bind(9, {sa_family=AF_INET, sin_port=htons(514), > > sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied) > > > > Those were TCP sockets. Bind() fails because it happens after privilege > > drop. > > > > -- > > .-. .-. Yes, I am an agent of Satan, but my duties are largely > > (_ \ / _) ceremonial. > > | > > | [email protected] > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com -- .-. .-. Yes, I am an agent of Satan, but my duties are largely (_ \ / _) ceremonial. | | [email protected] _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
