Comment 34 for bug 407862

> Why do you create these files as root-owned in the first place? Why not
> create them with the right user? That is my primary point.

I agree. The logrotate.d file that rsyslog uses in Debian/Ubuntu should use the 'create' directive which says which user/group to create files as.

> Michael Biebl, the Debian Maintainer, suggested using capabilities to reduce
> this need. I will look into this, but other than that I agree.

I looked into this a bit. You'd need to use the CAP_SYS_ADMIN capability. Which is sort of a catch-all. It allows the program to do many, many root-y things [1]. Honestly, I'd prefer to have a root dd process (which is contained and pretty safe) feeding an unprivileged rsyslog than have an rsyslog with CAP_SYS_ADMIN.

[1] http://www.lids.org/lids-howto/node57.html