Hi, Nate et al. (No problem blasting this to the whole list -- my procedure is for everyone's benefit/review/amusement :-) Here's the version that just went to press in the 2nd edition of my book (re-titled "Linux Server Security, 2nd Edition"). It worked for me through what I hope was thorough testing, but if I've gotten anything wrong, please let me know -- I've got an Errata website. Regards to all, Mick ***** Building a chroot jail for Syslog-ng To set up a nonprivileged account, a nonprivileged group, and a chroot jail for Syslog-ng, follow this procedure: 1. su to root if you're not root already 2. Create an unprivileged group-account for Syslog-ng, e.g., by adding the following line to /etc/group: syslogng:x:77: 3. Create an unprivileged system account for syslog-ng, e.g., via the following command: bash-# useradd -d /var/logjail -g syslogng -r syslogng (Note that in Linux, the "-r" flag tells useradd that this will be a system account, causing useradd to automatically set the account's shell to /bin/false and to choose an appropriately low value for its UID.) 4. Create the jail: bash-# mkdir -p /var/logjail/var/log bash-# mkdir -p /var/logjail/etc/syslog-ng bash-# mkdir /var/logjail/dev bash-# mkdir /var/logjail/lib (Our actual changed root will be /var/log-jail, but it needs to contain some subdirectories) 5. Move syslog-ng.conf into the jail, and turn its old location into a symbolic link: bash-# cd /etc/syslog-ng bash-# mv ./syslog-ng.conf /var/logjail/etc/syslog-ng bash-# ln -s /var/logjail/etc/syslog-ng/syslog-ng.conf \ syslog-ng.conf 6. Create jailed /dev/xconsole and /dev/tty10 devices: bash-# cd /var/logjail/dev bash-# mknod -m 0660 xconsole p bash-# mknod -m 0660 tty10 c 4 10 bash-# chgrp syslogng ./xconsole ./tty10 7. Copy some things bash-# cp /etc/localtime /var/logjail/etc bash-# cp /etc/nsswitch.conf /var/logjail/etc bash-# cp /etc/resolv.conf /var/logjail/etc bash-# grep syslogng /etc/passwd > /var/logjail/etc/passwd bash-# grep syslogng /etc/group > /var/logjail/etc/group bash-# cp /lib/libnss.so.2 /var/logjail/lib 8. At this point the whole jail should be owned by the user root and the group root, which is cool so long as the chroot directory itself (/var/logjail/) is "other-executable," e.g., drwxr-xr-x. But Syslog-ng must be able to create/write files in the jail's var/log/ subdirectory, so we need to tweak the latter's group-ownership and -permissions, like so: bash-# chgrp syslogng /var/logjail/var/log bash-# chmod g+wx /var/logjail/var/log 9. That's it! We may now start Syslog-ng with the flags -C /var/logjail -u syslogng -g syslogng The master syslog-ng process will still read its config from /etc/syslog-ng/syslog-ng.conf (not /var/logjail/etc/...), but immediately after that it will chroot itself to the specified jail. Note, however, that the paths you specify in syslog-ng.conf "file()" statements should all be relative to the changed root. In other words, use file("/var/log/messages"), not file("/var/logjail/var/log/messages"). Any path you specify in syslog-ng.conf will, in practical terms, end up with /var/logjail automatically prepended to it. *****
Hello Mick,
If you have another version of this you'd like me to post, let me know. I'm in a FAQ updating mood (I'm supposed to be writing my book so for some reason this has my attention instead, man I'm lame).
On Mon, Aug 16, 2004 at 12:55:30PM -0500, Michael D. (Mick) Bauer wrote:
Thanks! I'll post a revised procedure later this week -- replies have been trickling in.
Cheers, Mick
On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Mick,
It's been awhile since I last setup syslog-ng in a chroot jail, but according to my notes I did the following on a recent Linux box:
o copied the follow files to /path/to/chroot/lib:
libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 libnsl.so.2 libc.so.6 ld-linux.so.2
the first of which, being the one that seemed to actually be required for correct operation in my case. I believe the others were just referenced libraries, but not actually called.
o copied the following to /path/to/chroot/etc
nsswitch.conf resolv.conf `grep syslogng passwd` `grep syslogng group`
the last two being whatever user/group you used to run syslog-ng as.
John _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Nate
God does not play dice. -- Einstein
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/