On Wed, 26 Sep 2012 16:57:10 +0000 Rainer Gerhards
<[email protected]> wrote:

> That's an excellent idea. V7 fully supports privilege dropping and
> has the necessary design to do it cleanly. With v6, that's also the
> case, but v6 is more or less meant for folks who want a (basically)
> v5 engine plus the new config language. I am working hard to mature
> v7, which will also include all the structured logging support that
> will become important. Some big users help with testing to get it
> stable quickly.

Picking up this old bug report:

I consider making use of some of the systemd hardening features:

http://0pointer.de/blog/projects/security.html

Some of the flags might be suitable shipping upstream, i.e.

[Service]
ProtectSystem=full
ProtectHome=yes
PrivateTmp=yes
CapabilityBoundingSet=CAP_SYSLOG

The last one is tricky though, we might need more capabilities [1], e.g.
for binding interfaces. Would CAP_NET_BIND_SERVICE be sufficient or do
we need CAP_NET_ADMIN?

Rainer, do you know which capabilities [2] rsyslog needs, when it makes
use of all features?

Michael


[1]
http://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=
[2] http://man7.org/linux/man-pages/man7/capabilities.7.html
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to