About this list Date view Thread view Subject view Author view Attachment view

From: Klavs Klavsen (klavs_at_EnableIT.dk)
Date: Mon 04 Nov 2002 - 14:02:34 GMT


I found out by trial and error that CAP_SYS_ADMIN is needed for access
to /proc/kmsg.

I also found http://www.lids.org/lids-howto/node34.html which explains
what the different capabilities enables, even though /proc/kmsg isn't
mentioned under the cap_sys_admin capability. perhaps a link to this
information in the the vserver.conf file - so people know where to find
info on the different capabilities? or I could add it to the reducecap
manpage, but then people have to find it first :-)

It seems enabling CAP_SYS_ADMIN is not exactly good, although it doesn't
seem appearent to me, that it gives any security issues (except for
enabling the removal of swap and so on - which I ofcourse do not like).

Any ideas why syslog_ng needs this, when normal syslog doesn't?

-----Forwarded Message-----

> From: Klavs Klavsen <klavs_at_EnableIT.dk>
> To: VServer Mailinglist <vserver_at_solucorp.qc.ca>
> Subject: capabilities required for access to /proc/kmsg?
> Date: 04 Nov 2002 14:25:16 +0100
>
> Hi guys,
>
> I'm trying to run a bynari insightserver (which runs in a chrooted
> gentoo installation) - and it runs its own syslog-ng which requires
> access to /proc/kmsg.
>
> I'm trying to figure out which capabilities is required for this to be
> allowed, and also what security implications granting this capability
> produce??
>
> reason is I want to run insightserver under the vserver - with as little
> changes as possible. I already removed the mounting of /proc under the
> insightserver's chroot - so it's is handled at vserver boottime.
>
>
> --
> Regards,
> Klavs Klavsen
>
> --------------| This mail has been sent to you by: |------------
> Klavs Klavsen - Open Source Consultant
> klavs_at_EnableIT.dk - http://www.EnableIT.dk
>
> Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA
> Fingerprint = 2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62
> ----------------------------------------------------------------
> Open Source Software - Sometimes you get more than you paid for.
> -- unknown

-- 
Regards,
Klavs Klavsen

--------------| This mail has been sent to you by: |------------ Klavs Klavsen - Open Source Consultant klavs_at_EnableIT.dk - http://www.EnableIT.dk

Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = 2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 ---------------------------------------------------------------- Open Source Software - Sometimes you get more than you paid for. -- unknown


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:43 GMT by hypermail 2.1.3