On Sun, 2005-01-23 at 22:03 +0100, Wolfgang Braun wrote:
On Tue, Jan 18, 2005 at 10:18:44AM -0600, Michael D. (Mick) Bauer wrote:
[..]
It worked for me through what I hope was thorough testing, but if I've gotten anything wrong, please let me know -- I've got an Errata website. [..]
One minor thing to consider:
If you use logrotate/newsyslog to rotate logfiles things will break if you read from 514/udp/tcp or any other privilleged sources (like /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles. Those resources are no longer available once you dropped privilleges and went to jail.
/proc can be mounted inside the jail, so /proc/kmsg can be reopened while inside the jail. A possible solution for /dev/log is to create it inside the jail and make a symbolic link from outside pointing to inside. There are no problems with opening TCP/UDP sources inside the jail. -- Bazsi