Hi, all. In researching/writing the Syslog-ng coverage for the new edition of my book, I've encountered a total lack of published info, anywhere, on how to create a Syslog-ng chroot jail. So in the interests of seeding the FAQ (or at least Google), here's a procedure that works for me. Naturally, anyone should feel free to correct anything I've gotten wrong! Any and all feedback is appreciated. ************************************************ How To Create A Chroot Jail For Syslog-ng 1.6x ************************************************ 1. su to root if you're not root already 2. Create an unprivileged group-account for syslog-ng, e.g., by adding the following line to /etc/group: syslogng:x:77: 3. Create an unprivileged system account for syslog-ng, e.g., via the following command: useradd -d /var/syslog-ng-jail -g syslogng -r syslogng (Note that in Linux, the "-r" flag tells useradd that this will be a system account, causing useradd to automatically set the account's shell to /bin/false and to choose an appropriately low value for its UID.) 4. Create the jail: mkdir -p /var/syslog-ng-jail/var/log (Our actual changed root will be /var/syslog-ng-jail, but we may as well create the var/log subdirectory at the same time) 5. At this point the whole jail should be owned by root:root, which is cool so long as the changed-root-directory itself (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But syslog-ng *will* need to create/write files in the jail's var/log subdirectory, so we need to tweak the latter's group-ownership and -permissions, like so: chgrp syslogng /var/syslog-ng-jail/var/log chmod g+wx /var/syslog-ng-jail/var/log 6. That's it! We may now start syslog-ng like this: syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng The syslog-ng process will still read its config from /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), but immediately after that it will chroot itself to the specified jail. Note, however, that the paths you specify in syslog-ng.conf "file()" statements should all be relative to the changed root. E.g., use file("/var/log/messages"), *not* file("/var/syslog-ng-jail/var/log/messages"). Any path you specify in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended to it. Naturally, there's nothing to stop you from dropping the "var/log/" subdirectory altogether, and simply specify, e.g., file("/messages") as a destination (resulting in things being written to /var/syslog-ng-jail/messages, a less unwieldy path). ******* So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up! Regards, Mick P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng manpage. After all, running anything in a chroot jail as root is futile, no? :-) P.P.S. BTW, 1.6x rocks! /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/