[arch-dev-public] [arch-general] [signoff] syslog-ng-3.0.1-1

Wed Mar 11 04:00:33 EDT 2009

Gerardo Exequiel Pozzi wrote:
> Tobias Powalowski wrote:
>   
>> Am Mittwoch 11 März 2009 schrieb Allan McRae:
>>   
>>     
>>> Gerardo Exequiel Pozzi wrote:
>>>     
>>>       
>>>> Pierre Schmitz wrote:
>>>>       
>>>>         
>>>>> Does anybody know what this message in dmesg is about? Was syslog-ng
>>>>> compiled for i686?
>>>>>
>>>>> warning: `syslog-ng' uses 32-bit capabilities (legacy support in use)
>>>>>         
>>>>>           
>>>> Very out-of-date libcap, not only syslog-ng, also proftpd, vsftpd,
>>>> pulseaudio, ntpd, virtualbox, etc, etc...
>>>>
>>>> http://www.archlinux.org/packages/extra/i686/libcap/ (for linux 2.4)
>>>>
>>>> Need to have libcap2 package for kernel 2.6 in Arch Linux
>>>> http://www.kernel.org/pub/linux/libs/security/linux-privs/
>>>>       
>>>>         
>>> I was confused about this as libcap is in [extra] so how can it make
>>> problems with a package in [core]?
>>>
>>> So going from this comment in the bug report about libcap
>>> (http://bugs.archlinux.org/task/11917#comment41046) I get...
>>>
>>>     
>>>       
>>>> readelf -s /usr/sbin/syslog-ng | grep cap
>>>>       
>>>>         
>>>     33: 00000000     0 FUNC    GLOBAL DEFAULT  UND capset at GLIBC_2.1 (4)
>>>    177: 00000000     0 FUNC    GLOBAL DEFAULT  UND capget at GLIBC_2.1 (4)
>>>    473: 08228bd8     4 OBJECT  GLOBAL DEFAULT   26 OPENSSL_ia32cap_P
>>>
>>> Looks like libcap is a soft dep there.  How?
>>>
>>> Then rebuild in clean chroot:
>>>     
>>>       
>>>> readelf -s syslog-ng | grep cap
>>>>       
>>>>         
>>>    467: 08221b18     4 OBJECT  GLOBAL DEFAULT   26 OPENSSL_ia32cap_P
>>>
>>> And then the dmesg warning goes away...  So, the lesson to learn is to
>>> _always build in a clean chroot_!
>>>
>>> Allan
>>>     
>>>       
>> hrm i normally build in chroots, seems somehow this one slipped into it.
>> Shall i add it as makedepend?
>>
>>   
>>     
> Yes, is a makedepends, capget, capset are glibc symbols.
>
> But these symbols are defined in sys/capability.h (that are part of
> libcap) don't confuse with linux/capability.h
>
> So you can make syslog-ng with capabilities, and don't have libcap
> installed. ;)
>
> See libc.so ;)
> # readelf -s /lib/libc.so.6 | grep cap
>   1745: 000d10e0    67 FUNC    GLOBAL DEFAULT   11 capset@@GLIBC_2.1
>   1923: 000d1090    67 FUNC    GLOBAL DEFAULT   11 capget@@GLIBC_2.1
>   3801: 000d1090    67 FUNC    LOCAL  DEFAULT   11 __GI_capget
>   4043: 000d10e0    67 FUNC    LOCAL  DEFAULT   11 __GI_capset
>   5388: 000d10e0    67 FUNC    GLOBAL DEFAULT   11 capset
>   6337: 000d1090    67 FUNC    GLOBAL DEFAULT   11 capget
>
>
> Allan: I hope you have cleared up the confusion.
>   

Not really.....  so I did some research.  Here we go:

 From the release announcement for syslog-ng OSE 3.0:

 * support for capabilities under Linux, this running syslog-ng as 
non-root is possible,
   also with reload support, see the documentation of Linux capabilities 
in capabilities(7),
   for the syntax of the --caps option, see cap_from_text(3)

And from capabilities(7):

For the purpose of performing permission checks, traditional Unix 
implementations distinguish two categories of processes: /privileged/ 
processes (whose effective user ID is 0, referred to as superuser or 
root), and /unprivileged/ processes (whose effective UID is non-zero). 
Privileged processes bypass all kernel permission checks, while 
unprivileged processes are subject to full permission checking based on 
the process's credentials (usually: effective UID, effective GID, and 
supplementary group list).

So my conclusion is that it would probably be a good idea to add the 
makedepends on libcap.

Allan