On Thu, Nov 07, 2002 at 02:25:44PM +0100, Guillaume LACHENAL wrote:
from http://www.campin.net/syslog-ng/faq.html
As /proc/kmsg and /dev/log are outside the jail, is there a way to do the same thing with a chrooted syslog-ng ?
configuration initialization is performed prior to chroot-ing, so syslog-ng first opens the necessary devices, and then chroots itself. you cannot restart the daemon though, unless you do the following: - mount /proc under the chroot jail as well (can be mounted multiple times) - create a symlink in /dev/log to /chroot/dev/log then instead of using syslog-ng's own chroot feature, use the chroot command, so the config initialization is performed _inside_ the jail. These have drawbacks as well: - you need libc and other libs in the jail (while when starting from outside, these are mapped from the system at startup) - /proc might provide too much information inside the jail so you might as well run syslog-ng outside the jail ;) The latter problem can be solved by restricting /proc access with a patch like openwall, and I might provide a patch for the first, to chroot first, and then initialize. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1