Is there any work in allowing syslog-ng to: a) change its uid and gids to non-root after is has started and opened the appropriate inputs. b) chroot itself after it has started an opened the appropriate inputs. (a) is simple to implement. (b) requires a little more thought. e.g. it should be smart enough to know that if a destination file is under /var/log/logfiles/$DAY if it chroots to /var/log it should try to open /logfiles/$DAY and not /var/log/logfiles/$DAY. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Hi, Nice to see you here :)
Is there any work in allowing syslog-ng to:
a) change its uid and gids to non-root after is has started and opened the appropriate inputs.
It's possible, and really easy to implement, but may cause problems when syslog-ng is restarted.
b) chroot itself after it has started an opened the appropriate inputs.
Again may cause problems upon restart, because the path of the config file is changed as well.
(a) is simple to implement. (b) requires a little more thought. e.g. it should be smart enough to know that if a destination file is under /var/log/logfiles/$DAY if it chroots to /var/log it should try to open /logfiles/$DAY and not /var/log/logfiles/$DAY.
I think if you request a chroot() in the configuration file, the logfile paths will be relative to that root. (they are opened after the jail has been established), e.g.: options { chroot("/jails/syslog"); }; destination all { file("/log/messages"); }; Hmm... I see another problem, /dev/log should be opened before chroot, files should be opened after chroot. Currently configuration reading takes two steps: 1) read and syntactically check, 2) initialize (open files, pipes, sockets etc) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
participants (2)
-
Aleph One
-
Balazs Scheidler