|
 |
1fd806 |
diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
|
|
|
1fd806 |
--- rsyslog-8.2102.0/runtime/rsconf.c.orig 2023-02-17 11:52:17.460043970 +0100
|
|
|
1fd806 |
+++ rsyslog-8.2102.0/runtime/rsconf.c 2023-02-17 12:00:49.881602881 +0100
|
|
|
1fd806 |
@@ -33,9 +33,6 @@
|
|
|
1fd806 |
#include <sys/resource.h>
|
|
|
1fd806 |
#include <sys/types.h>
|
|
|
1fd806 |
#include <sys/stat.h>
|
|
|
1fd806 |
-#ifdef ENABLE_LIBCAPNG
|
|
|
1fd806 |
- #include <cap-ng.h>
|
|
|
1fd806 |
-#endif
|
|
|
1fd806 |
|
|
|
1fd806 |
#include "rsyslog.h"
|
|
|
1fd806 |
#include "obj.h"
|
|
|
1fd806 |
@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
|
|
|
1fd806 |
uchar szBuf[1024];
|
|
|
1fd806 |
DEFiRet;
|
|
|
1fd806 |
|
|
|
1fd806 |
-#ifndef ENABLE_LIBCAPNG
|
|
|
1fd806 |
+
|
|
|
1fd806 |
if(!ourConf->globals.gidDropPrivKeepSupplemental) {
|
|
|
1fd806 |
res = setgroups(0, NULL); /* remove all supplemental group IDs */
|
|
|
1fd806 |
if(res) {
|
|
|
1fd806 |
@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
|
|
|
1fd806 |
"could not set requested group id: %s via setgid()", szBuf);
|
|
|
1fd806 |
ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
|
|
|
1fd806 |
}
|
|
|
1fd806 |
-#else
|
|
|
1fd806 |
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
|
|
|
1fd806 |
- res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
|
|
|
1fd806 |
- if (res) {
|
|
|
1fd806 |
- LogError(0, RS_RET_LIBCAPNG_ERR,
|
|
|
1fd806 |
- "could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
|
|
|
1fd806 |
- ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
|
|
|
1fd806 |
- }
|
|
|
1fd806 |
-#endif
|
|
|
1fd806 |
|
|
|
1fd806 |
DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
|
|
|
1fd806 |
snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
|
|
|
1fd806 |
@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
|
|
|
1fd806 |
iUid, szBuf);
|
|
|
1fd806 |
}
|
|
|
1fd806 |
|
|
|
1fd806 |
-#ifndef ENABLE_LIBCAPNG
|
|
|
1fd806 |
+
|
|
|
1fd806 |
res = setuid(iUid);
|
|
|
1fd806 |
- // res = setuid(cnf->globals.uidDropPriv);
|
|
|
1fd806 |
-#else
|
|
|
1fd806 |
- int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
|
|
|
1fd806 |
- res = capng_change_id(iUid, -1, capng_flags);
|
|
|
1fd806 |
-#endif
|
|
|
1fd806 |
|
|
|
1fd806 |
if(res) {
|
|
|
1fd806 |
/* if we can not set the userid, this is fatal, so let's unconditionally abort */
|
|
|
1fd806 |
diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
|
|
|
1fd806 |
--- rsyslog-8.2102.0/tools/rsyslogd.c.orig 2023-02-17 11:52:00.011011019 +0100
|
|
|
1fd806 |
+++ rsyslog-8.2102.0/tools/rsyslogd.c 2023-02-17 11:58:37.322491823 +0100
|
|
|
1fd806 |
@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
|
|
|
1fd806 |
CAP_LEASE,
|
|
|
1fd806 |
CAP_NET_ADMIN,
|
|
|
1fd806 |
CAP_NET_BIND_SERVICE,
|
|
|
1fd806 |
- CAP_PERFMON,
|
|
|
1fd806 |
CAP_SETGID,
|
|
|
1fd806 |
CAP_SETUID,
|
|
|
1fd806 |
+ CAP_DAC_OVERRIDE,
|
|
|
1fd806 |
CAP_SYS_ADMIN,
|
|
|
1fd806 |
CAP_SYS_CHROOT,
|
|
|
1fd806 |
CAP_SYS_RESOURCE,
|