sysklogd

Robert Connolly robert at linuxfromscratch.org
Tue May 22 20:23:10 PDT 2007


Okay. /proc/kmsg, somewhere in linux-2.6, was changed so CAP_SYS_ADMIN is 
checked for every read, not just when it's opened. Giving klogd CAP_SYS_ADMIN 
capabilities is like giving 90% of root's capabilities... klogd would have 
privileges on all memory and discs, but wouldn't be able to renice processes. 
So dropping klogd from root to CAP_SYS_ADMIN is a joke.

There are two choices, as I see it. Run klogd as root and use grsecurity 
access control to disallow it to do anything it shouldn't, even though it is 
still root. Or modify the kernel to allow a specific uid, or 
non-posix-capability, to open /proc/kmsg specifically for klogd's needs.. or 
revert the change to linux-2.6 to use linux-2.4's behavior to only check 
capabilities for the initial open. klogd can also use syslog(2), but the 
situation is the same. syslog(2) might be more multithreaded... the proc 
manual page says no two processes should be reading /proc/kmsg at the same 
time.

I haven't checked how this would affect dmesg(8).

Making some grsecurity acl's is perhaps the most reasonable, but the least 
hard-coded.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20070522/7cd9b07f/attachment.sig>


More information about the hlfs-dev mailing list