On Wed, 27 Jan 2016, Thomas D. wrote:
Hi,
David Lang wrote:
does HUP'ing work with drop'ed privileges (when doing logrotate)?
Is rsyslog still be able to recreate files using different users?
creating files as a different user is questionable. Is this something that
can be allowed via a capability? normal users are not allowed to chown files to
other users.
but the default config should not need to write log files as different users.
Maybe I am missing something at the moment but "/var/log/messages" has
chmod 0644 and is owned by root/adm on most systems, isn't it?
Well, "/var/log/messages" is not the best example because the file will
be re-created by logrotate in most setups but even then, how should
rsyslog write into that file when running as non-root?
I've also seen a lot of systems as syslog/adm
But setups where rsyslog creates log files based on dates with custom
permissions are also not that unusual.
Do we want something like CAP_DAC_OVERRIDE?
We want it documented in the configs, I don't know if we want it as default.
There's a balancing act between the most secure default config and a less secure
default that supports more of the common variations
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
