robert at linuxfromscratch.org
Tue May 22 20:23:10 PDT 2007
Okay. /proc/kmsg, somewhere in linux-2.6, was changed so CAP_SYS_ADMIN is
checked for every read, not just when it's opened. Giving klogd CAP_SYS_ADMIN
capabilities is like giving 90% of root's capabilities... klogd would have
privileges on all memory and discs, but wouldn't be able to renice processes.
So dropping klogd from root to CAP_SYS_ADMIN is a joke.
There are two choices, as I see it. Run klogd as root and use grsecurity
access control to disallow it to do anything it shouldn't, even though it is
still root. Or modify the kernel to allow a specific uid, or
non-posix-capability, to open /proc/kmsg specifically for klogd's needs.. or
revert the change to linux-2.6 to use linux-2.4's behavior to only check
capabilities for the initial open. klogd can also use syslog(2), but the
situation is the same. syslog(2) might be more multithreaded... the proc
manual page says no two processes should be reading /proc/kmsg at the same
I haven't checked how this would affect dmesg(8).
Making some grsecurity acl's is perhaps the most reasonable, but the least
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the hlfs-dev