I found out by trial and error that CAP_SYS_ADMIN is needed for access to /proc/kmsg.
I also found http://www.lids.org/lids-howto/node34.html which explains what the different capabilities enables, even though /proc/kmsg isn't mentioned under the cap_sys_admin capability. perhaps a link to this information in the the vserver.conf file - so people know where to find info on the different capabilities? or I could add it to the reducecap manpage, but then people have to find it first :-) It seems enabling CAP_SYS_ADMIN is not exactly good, although it doesn't seem appearent to me, that it gives any security issues (except for enabling the removal of swap and so on - which I ofcourse do not like). Any ideas why syslog_ng needs this, when normal syslog doesn't? -----Forwarded Message----- > From: Klavs Klavsen <[EMAIL PROTECTED]> > To: VServer Mailinglist <[EMAIL PROTECTED]> > Subject: capabilities required for access to /proc/kmsg? > Date: 04 Nov 2002 14:25:16 +0100 > > Hi guys, > > I'm trying to run a bynari insightserver (which runs in a chrooted > gentoo installation) - and it runs its own syslog-ng which requires > access to /proc/kmsg. > > I'm trying to figure out which capabilities is required for this to be > allowed, and also what security implications granting this capability > produce?? > > reason is I want to run insightserver under the vserver - with as little > changes as possible. I already removed the mounting of /proc under the > insightserver's chroot - so it's is handled at vserver boottime. > > > -- > Regards, > Klavs Klavsen > > --------------| This mail has been sent to you by: |------------ > Klavs Klavsen - Open Source Consultant > [EMAIL PROTECTED] - http://www.EnableIT.dk > > Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA > Fingerprint = 2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 > ---------------------------------------------------------------- > Open Source Software - Sometimes you get more than you paid for. > -- unknown -- Regards, Klavs Klavsen --------------| This mail has been sent to you by: |------------ Klavs Klavsen - Open Source Consultant [EMAIL PROTECTED] - http://www.EnableIT.dk Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = 2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 ---------------------------------------------------------------- Open Source Software - Sometimes you get more than you paid for. -- unknown
