diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 16:27:18 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 16:27:18 +0000 |
commit | f7f20c3f5e0be02585741f5f54d198689ccd7866 (patch) | |
tree | 190d5e080f6cbcc40560b0ceaccfd883cb3faa01 /source/configuration/droppriv.rst | |
parent | Initial commit. (diff) | |
download | rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.tar.xz rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.zip |
Adding upstream version 8.2402.0+dfsg.upstream/8.2402.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | source/configuration/droppriv.rst | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/source/configuration/droppriv.rst b/source/configuration/droppriv.rst new file mode 100644 index 0000000..8dc55a6 --- /dev/null +++ b/source/configuration/droppriv.rst @@ -0,0 +1,31 @@ +Dropping privileges in rsyslog +============================== + +**Available since**: 4.1.1 + +**Description**: + +Rsyslogd provides the ability to drop privileges by impersonating as +another user and/or group after startup. + +Please note that due to POSIX standards, rsyslogd always needs to start +up as root if there is a listener who must bind to a network port below +1024. For example, the UDP listener usually needs to listen to 514 and +therefore rsyslogd needs to start up as root. + +If you do not need this functionality, you can start rsyslog directly as +an ordinary user. That is probably the safest way of operations. +However, if a startup as root is required, you can use the +$PrivDropToGroup and $PrivDropToUser config directives to specify a +group and/or user that rsyslogd should drop to after initialization. +Once this happens, the daemon runs without high privileges (depending, +of course, on the permissions of the user account you specified). + +A special note for Docker and other container system users: user and +group names are usually not fully mirrored into containers. As such, +we strongly advise to use numerical IDs instead of user or group +names when configuring privilege drop. + +Privilege drop is configured via the +:doc:`global configuraton object<../rainerscript/global>` under the +"`privilege.`" set of parameters. |