From: Jonathan Nieder <jrnieder@gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Gergely Nagy <algernon@balabit.hu>,
david@lang.hm, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Marc Koschewski <marc@osknowledge.org>,
lkml <linux-kernel@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Nick Bowler <nbowler@elliptictech.com>
Subject: [PATCH/RFC] cap_syslog: make CAP_SYS_ADMIN deprecation notice less alarming
Date: Wed, 3 Aug 2011 18:48:37 +0200 [thread overview]
Message-ID: <20110803164837.GA2669@elie> (raw)
In-Reply-To: <AANLkTin-2uDkjPuSPmUE_HZdpxk9zd=Qop=nf==jsyLA@mail.gmail.com>
syslog-ng versions in active use assume that CAP_SYS_ADMIN is
sufficent to access syslog. As a result, ever since CAP_SYSLOG was
introduce in v2.6.38-rc1~429^2~18 (security: Define CAP_SYSLOG,
2010-11-25), they have triggered a warning, complete with kernel
backtrace.
v2.6.38-rc5~46 (cap_syslog: accept CAP_SYS_ADMIN for now, 2011-02-10)
made things a little better by removing the regression in behavior,
just keeping the WARN_ONCE. But still, this is a warning that adds
many lines to syslog, sets a taint flag, and alarms sysadmins when
nothing worse has happened than use of an old userspace with a recent
kernel.
Convert the WARN_ONCE to a printk_once to avoid this while continuing
to give userspace developers a hint that this is an unwanted
backward-compatibility feature and won't be around forever.
Reported-by: Ralf Hildebrandt <ralf.hildebrandt@charite.de>
Reported-by: Niels <zorglub_olsen@hotmail.com>
Reported-by: Paweł Sikora <pluto@agmk.net>
Liked-by: Gergely Nagy <algernon@madhouse-project.org>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
---
Hi,
Nothing urgent about this, but it seems to be a frequently[1] reported[2]
source of unnecessary worry. Thoughts?
[1] http://thread.gmane.org/gmane.linux.kernel/1145040
[2] http://thread.gmane.org/gmane.linux.kernel/1153808
Context: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=32;bug=636501
kernel/printk.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/kernel/printk.c b/kernel/printk.c
index 37dff342..db64c951 100644
--- a/kernel/printk.c
+++ b/kernel/printk.c
@@ -318,7 +318,8 @@ static int check_syslog_permissions(int type, bool from_file)
return 0;
/* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
if (capable(CAP_SYS_ADMIN)) {
- WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
+ printk_once(KERN_WARNING
+ "Attempt to access syslog with CAP_SYS_ADMIN "
"but no CAP_SYSLOG (deprecated).\n");
return 0;
}
--
1.7.6
next prev parent reply other threads:[~2011-08-03 16:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-10 14:40 [PATCH 1/1] cap_syslog: don't refuse cap_sys_admin for now (v3) Serge E. Hallyn
2011-02-10 19:16 ` Linus Torvalds
2011-02-10 22:43 ` Serge E. Hallyn
2011-02-10 22:59 ` James Morris
2011-02-11 16:32 ` Serge E. Hallyn
2011-08-03 16:48 ` Jonathan Nieder [this message]
2011-08-04 1:28 ` [PATCH/RFC] cap_syslog: make CAP_SYS_ADMIN deprecation notice less alarming James Morris
2011-08-04 4:39 ` Serge E. Hallyn
2011-08-05 13:45 ` James Morris
2011-08-05 18:50 ` Linus Torvalds
2011-08-08 4:22 ` [PATCH v2] cap_syslog: don't use WARN_ONCE for CAP_SYS_ADMIN deprecation warning Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110803164837.GA2669@elie \
--to=jrnieder@gmail.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=algernon@balabit.hu \
--cc=david@lang.hm \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc@osknowledge.org \
--cc=nbowler@elliptictech.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.