> 2) Copies the dd-shovels-proc-kmsg-to-readable-location logic from sysklogd and adds a config value to change klog location
> * Allow reading /proc/kmsg when non-root
> - debian/rsyslog.init: Spawn a dd instance that shovels the /proc/kmsg
> data to a pipe that rsyslog can read (based on Martin Pitt's similar
> change to sysklogd).
Please, could this be reverted? This was an ugly hack that was used by sysklogd. It keeps another process running (dd) just copying data from one descriptor to another.
Rsyslog allows it to be run as root, set itself up, and then drop its privileges to another user. This is the same method that is used for at least three decades when processes should run as non-privileged users but still need to open some privileged files/ports (only at startup). Using dd to copy data from one pipe to another not only is unnecessary, it also adds another single point of failure.
> 2) Copies the dd-shovels- proc-kmsg- to-readable- location logic from sysklogd and adds a config value to change klog location
> * Allow reading /proc/kmsg when non-root rsyslog. init: Spawn a dd instance that shovels the /proc/kmsg
> - debian/
> data to a pipe that rsyslog can read (based on Martin Pitt's similar
> change to sysklogd).
Please, could this be reverted? This was an ugly hack that was used by sysklogd. It keeps another process running (dd) just copying data from one descriptor to another.
Rsyslog allows it to be run as root, set itself up, and then drop its privileges to another user. This is the same method that is used for at least three decades when processes should run as non-privileged users but still need to open some privileged files/ports (only at startup). Using dd to copy data from one pipe to another not only is unnecessary, it also adds another single point of failure.
http:// wiki.rsyslog. com/index. php/Security# Dropping_ Privileges
In short, set $PrivDropToUser and $PrivDropToGroup to the syslog user, and just run rsyslog as root.