summaryrefslogtreecommitdiffstats
path: root/source/configuration/droppriv.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:18 +0000
commitf7f20c3f5e0be02585741f5f54d198689ccd7866 (patch)
tree190d5e080f6cbcc40560b0ceaccfd883cb3faa01 /source/configuration/droppriv.rst
parentInitial commit. (diff)
downloadrsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.tar.xz
rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.zip
Adding upstream version 8.2402.0+dfsg.upstream/8.2402.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--source/configuration/droppriv.rst31
1 files changed, 31 insertions, 0 deletions
diff --git a/source/configuration/droppriv.rst b/source/configuration/droppriv.rst
new file mode 100644
index 0000000..8dc55a6
--- /dev/null
+++ b/source/configuration/droppriv.rst
@@ -0,0 +1,31 @@
+Dropping privileges in rsyslog
+==============================
+
+**Available since**: 4.1.1
+
+**Description**:
+
+Rsyslogd provides the ability to drop privileges by impersonating as
+another user and/or group after startup.
+
+Please note that due to POSIX standards, rsyslogd always needs to start
+up as root if there is a listener who must bind to a network port below
+1024. For example, the UDP listener usually needs to listen to 514 and
+therefore rsyslogd needs to start up as root.
+
+If you do not need this functionality, you can start rsyslog directly as
+an ordinary user. That is probably the safest way of operations.
+However, if a startup as root is required, you can use the
+$PrivDropToGroup and $PrivDropToUser config directives to specify a
+group and/or user that rsyslogd should drop to after initialization.
+Once this happens, the daemon runs without high privileges (depending,
+of course, on the permissions of the user account you specified).
+
+A special note for Docker and other container system users: user and
+group names are usually not fully mirrored into containers. As such,
+we strongly advise to use numerical IDs instead of user or group
+names when configuring privilege drop.
+
+Privilege drop is configured via the
+:doc:`global configuraton object<../rainerscript/global>` under the
+"`privilege.`" set of parameters.