do a ls -la on the files to see the major and minor number and the type. and then SYNOPSIS mknod name b major minor mknod name c major minor mknod name p DESCRIPTION mknod makes a directory entry for a special file. OPTIONS The following options are supported: b Create a block-type special file. c Create a character-type special file. p Create a FIFO (named pipe). Regards, L. Jankok On 0, "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote: :Hi, again. I see now that I've missed at least three things needed :in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and :/dev/tty10. : :Any hints on the exact syntax one should use with mknod in creating :xconsole & tty10? : :Thanks, :Mick : :/-------------------------------------------------\ :| Michael D. (Mick) Bauer | :| Security Editor, Linux Journal | :| Dir. of Value-Subtracted Svcs., Wiremonkeys.org | :\-------------------------------------------------/ : :> Hi, all. In researching/writing the Syslog-ng coverage for the new :> edition of my book, I've encountered a total lack of published :> info, anywhere, on how to create a Syslog-ng chroot jail. So in :> the :> interests of seeding the FAQ (or at least Google), here's a :> procedure that works for me. :> :> Naturally, anyone should feel free to correct anything I've gotten :> wrong! Any and all feedback is appreciated. :> :> ************************************************ :> How To Create A Chroot Jail For Syslog-ng 1.6x :> ************************************************ :> :> 1. su to root if you're not root already :> :> 2. Create an unprivileged group-account for syslog-ng, e.g., by :> adding the following line to /etc/group: :> :> syslogng:x:77: :> :> 3. Create an unprivileged system account for syslog-ng, e.g., via :> the following command: :> :> useradd -d /var/syslog-ng-jail -g syslogng -r syslogng :> :> (Note that in Linux, the "-r" flag tells useradd that this will be :> a system account, causing useradd to automatically set the :> account's shell to /bin/false and to choose an appropriately low :> value for its UID.) :> :> 4. Create the jail: :> :> mkdir -p /var/syslog-ng-jail/var/log :> :> (Our actual changed root will be /var/syslog-ng-jail, but we may :> as well create the var/log subdirectory at the same time) :> :> 5. At this point the whole jail should be owned by root:root, :> which is cool so long as the changed-root-directory itself :> (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But :> syslog-ng *will* need to create/write files in the jail's var/log :> subdirectory, so we need to tweak the latter's group-ownership and :> -permissions, like so: :> :> chgrp syslogng /var/syslog-ng-jail/var/log :> chmod g+wx /var/syslog-ng-jail/var/log :> :> 6. That's it! We may now start syslog-ng like this: :> :> syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng :> :> The syslog-ng process will still read its config from :> /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), :> but immediately after that it will chroot itself to the specified :> jail. :> :> Note, however, that the paths you specify in syslog-ng.conf :> "file()" statements should all be relative to the changed root. :> E.g., use :> file("/var/log/messages"), *not* :> file("/var/syslog-ng-jail/var/log/messages"). Any path you specify :> in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended :> to it. :> :> Naturally, there's nothing to stop you from dropping the :> "var/log/" subdirectory altogether, and simply specify, e.g., :> file("/messages") as a destination (resulting in things being :> written to :> /var/syslog-ng-jail/messages, a less unwieldy path). :> :> ******* :> :> So far I haven't noticed that anything else needs to be added to :> the chroot jail (e.g., stuff from /dev or /etc), but if anyone :> knows :> differently please speak up! :> :> Regards, :> Mick :> :> P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng :> manpage. After all, running anything in a chroot jail as root is :> futile, no? :-) :> :> P.P.S. BTW, 1.6x rocks! : : : :_______________________________________________ :syslog-ng maillist - syslog-ng@lists.balabit.hu :https://lists.balabit.hu/mailman/listinfo/syslog-ng :Frequently asked questions at http://www.campin.net/syslog-ng/faq.html :