[arch-general] [arch-dev-public] [signoff] syslog-ng-3.0.1-1

Gerardo Exequiel Pozzi vmlinuz386 at yahoo.com.ar
Wed Mar 11 03:19:25 EDT 2009 

Allan McRae wrote:
> Gerardo Exequiel Pozzi wrote:
>> Pierre Schmitz wrote:
>>  
>>> Does anybody know what this message in dmesg is about? Was syslog-ng
>>> compiled for i686?
>>>
>>> warning: `syslog-ng' uses 32-bit capabilities (legacy support in use)
>>>
>>>       
>> Very out-of-date libcap, not only syslog-ng, also proftpd, vsftpd,
>> pulseaudio, ntpd, virtualbox, etc, etc...
>>
>> http://www.archlinux.org/packages/extra/i686/libcap/ (for linux 2.4)
>>
>> Need to have libcap2 package for kernel 2.6 in Arch Linux
>> http://www.kernel.org/pub/linux/libs/security/linux-privs/
>>   
>
> I was confused about this as libcap is in [extra] so how can it make
> problems with a package in [core]?
>
> So going from this comment in the bug report about libcap
> (http://bugs.archlinux.org/task/11917#comment41046) I get...
>
>> readelf -s /usr/sbin/syslog-ng | grep cap
>    33: 00000000     0 FUNC    GLOBAL DEFAULT  UND capset at GLIBC_2.1 (4)
>   177: 00000000     0 FUNC    GLOBAL DEFAULT  UND capget at GLIBC_2.1 (4)
>   473: 08228bd8     4 OBJECT  GLOBAL DEFAULT   26 OPENSSL_ia32cap_P
>
> Looks like libcap is a soft dep there.  How?
>
> Then rebuild in clean chroot:
>> readelf -s syslog-ng | grep cap
>   467: 08221b18     4 OBJECT  GLOBAL DEFAULT   26 OPENSSL_ia32cap_P
>
> And then the dmesg warning goes away...  So, the lesson to learn is to
> _always build in a clean chroot_!
>
> Allan
>
Agree about clean chroot.

But maybe this is useful, and more secure syslog-ng setup, because it
drop some capabilities that don't use it ;)

You can see the syslog-ng process running without capabilities enabled
(from /proc/PID/status):
CapPrm: fffffffffffffeff
CapEff: fffffffffffffeff

Capabilities for `27939': =ep cap_setpcap-ep ## getpcaps program from
latest libcap

Shows that have all capabilities, of course, i can't drop it.

But running the syslog-ng, with capabilities enabled (accidentally
enabled now) you can see, many capabilities are droped :)
CapPrm: 0000000000202c06
CapEff: 0000000000200002

Capabilities for `23652': = cap_dac_override,cap_sys_admin+ep
cap_dac_read_search,cap_net_bind_service,cap_net_broadcast,cap_net_raw+p
More secure syslog-ng ;)


OK, this isn't default behavior in Arch Linux, but...

-- 
Gerardo Exequiel Pozzi ( djgera )
http://www.djgera.com.ar
KeyID: 0x1B8C330D
Key fingerprint = 0CAA D5D4 CD85 4434 A219  76ED 39AB 221B 1B8C 330D

More information about the arch-general mailing list