On Mon, 2005-01-24 at 11:19 +0100, Wolfgang Braun wrote:
On Mon, Jan 24, 2005 at 10:04:28AM +0100, Balazs Scheidler wrote:
On Sun, 2005-01-23 at 22:03 +0100, Wolfgang Braun wrote:
If you use logrotate/newsyslog to rotate logfiles things will break if you read from 514/udp/tcp or any other privilleged sources (like /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles. Those resources are no longer available once you dropped privilleges and went to jail.
/proc can be mounted inside the jail, so /proc/kmsg can be reopened while inside the jail.
Good point, didn't think of that
A possible solution for /dev/log is to create it inside the jail and make a symbolic link from outside pointing to inside.
There are no problems with opening TCP/UDP sources inside the jail.
Not with the jail itself but I cannot bind 514 when I dropped root privilleges.
you can use restrict to give CAP_SYS_BIND capability to the syslog-ng process (see http://www.balabit.com/downloads/restrict/) so you can bind to port 514 though otherwise not running as root. -- Bazsi