Hi, again. I see now that I've missed at least three things needed in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and /dev/tty10. Any hints on the exact syntax one should use with mknod in creating xconsole & tty10? Thanks, Mick /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
Hi, all. In researching/writing the Syslog-ng coverage for the new edition of my book, I've encountered a total lack of published info, anywhere, on how to create a Syslog-ng chroot jail. So in the interests of seeding the FAQ (or at least Google), here's a procedure that works for me.
Naturally, anyone should feel free to correct anything I've gotten wrong! Any and all feedback is appreciated.
************************************************ How To Create A Chroot Jail For Syslog-ng 1.6x ************************************************
1. su to root if you're not root already
2. Create an unprivileged group-account for syslog-ng, e.g., by adding the following line to /etc/group:
syslogng:x:77:
3. Create an unprivileged system account for syslog-ng, e.g., via the following command:
useradd -d /var/syslog-ng-jail -g syslogng -r syslogng
(Note that in Linux, the "-r" flag tells useradd that this will be a system account, causing useradd to automatically set the account's shell to /bin/false and to choose an appropriately low value for its UID.)
4. Create the jail:
mkdir -p /var/syslog-ng-jail/var/log
(Our actual changed root will be /var/syslog-ng-jail, but we may as well create the var/log subdirectory at the same time)
5. At this point the whole jail should be owned by root:root, which is cool so long as the changed-root-directory itself (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But syslog-ng *will* need to create/write files in the jail's var/log subdirectory, so we need to tweak the latter's group-ownership and -permissions, like so:
chgrp syslogng /var/syslog-ng-jail/var/log chmod g+wx /var/syslog-ng-jail/var/log
6. That's it! We may now start syslog-ng like this:
syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng
The syslog-ng process will still read its config from /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), but immediately after that it will chroot itself to the specified jail.
Note, however, that the paths you specify in syslog-ng.conf "file()" statements should all be relative to the changed root. E.g., use file("/var/log/messages"), *not* file("/var/syslog-ng-jail/var/log/messages"). Any path you specify in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended to it.
Naturally, there's nothing to stop you from dropping the "var/log/" subdirectory altogether, and simply specify, e.g., file("/messages") as a destination (resulting in things being written to /var/syslog-ng-jail/messages, a less unwieldy path).
*******
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Regards, Mick
P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng manpage. After all, running anything in a chroot jail as root is futile, no? :-)
P.P.S. BTW, 1.6x rocks!