Hi, On Fri, 2011-09-16 at 11:02 +0100, Dave Haywood wrote:
Hi,
I have compiled syslog-ng 3.3.0beta2 under RHEL AS 4.8 (don't ask) and am having a possible chroot() issue.
syslog-ng is running chroot as a non-root user. All the build libraries etc (there were a lot to get this to run under RHEL 4.8) are under /usr/local.
I already run syslog-ng 2.0.9 under RHEL AS 4.9.
I am seeing differences between the 2.0.9 and 3.3.0b2 releases. The differences with 3.3.0b2 are: 1) daemon seems to switch user *before* binding the network interfaces. This means I can't bind to TCP/UDP ports < 1024.
Yes, that was changed in 3.0 a couple of years ago, because this way SIGHUP couldn't work (no files in the chrooted directory). The alternative to do this is to enable capability management (e.g. --enable-linux-caps) and supply the necessary capability to the non-root daemon. The defaults should work.
2) daemon chroot()s before loading the syslog-ng.conf file. This means I have to mount the config dir under the chroot() dir.
That's right.
So, my questions are: 1) Is the behaviour I describe in 3.3.30b2 intentional or could this be a problem with my environment? 2) Why has the behaviour changed in this way? 3) If the daemon were to: read the config file bind the network interfaces as root *before* dropping privelege and doing the chroot() couldn't a lot of the chroot() hastle (below) be avoided?
I have 3.3.0b2 running chroot() but only by: mount -o bind /lib /chrootdir/lib mount -o bind /usr/local /chrootdir/usr/local mount -o bind /dev /chrootdir/dev changing the syslog-ng.conf TCP/UDP listen ports to be > 1024
-- Bazsi