FAQ-seeding: chroot jail procedure for Syslog-ng
Hi, all. In researching/writing the Syslog-ng coverage for the new edition of my book, I've encountered a total lack of published info, anywhere, on how to create a Syslog-ng chroot jail. So in the interests of seeding the FAQ (or at least Google), here's a procedure that works for me. Naturally, anyone should feel free to correct anything I've gotten wrong! Any and all feedback is appreciated. ************************************************ How To Create A Chroot Jail For Syslog-ng 1.6x ************************************************ 1. su to root if you're not root already 2. Create an unprivileged group-account for syslog-ng, e.g., by adding the following line to /etc/group: syslogng:x:77: 3. Create an unprivileged system account for syslog-ng, e.g., via the following command: useradd -d /var/syslog-ng-jail -g syslogng -r syslogng (Note that in Linux, the "-r" flag tells useradd that this will be a system account, causing useradd to automatically set the account's shell to /bin/false and to choose an appropriately low value for its UID.) 4. Create the jail: mkdir -p /var/syslog-ng-jail/var/log (Our actual changed root will be /var/syslog-ng-jail, but we may as well create the var/log subdirectory at the same time) 5. At this point the whole jail should be owned by root:root, which is cool so long as the changed-root-directory itself (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But syslog-ng *will* need to create/write files in the jail's var/log subdirectory, so we need to tweak the latter's group-ownership and -permissions, like so: chgrp syslogng /var/syslog-ng-jail/var/log chmod g+wx /var/syslog-ng-jail/var/log 6. That's it! We may now start syslog-ng like this: syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng The syslog-ng process will still read its config from /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), but immediately after that it will chroot itself to the specified jail. Note, however, that the paths you specify in syslog-ng.conf "file()" statements should all be relative to the changed root. E.g., use file("/var/log/messages"), *not* file("/var/syslog-ng-jail/var/log/messages"). Any path you specify in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended to it. Naturally, there's nothing to stop you from dropping the "var/log/" subdirectory altogether, and simply specify, e.g., file("/messages") as a destination (resulting in things being written to /var/syslog-ng-jail/messages, a less unwieldy path). ******* So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up! Regards, Mick P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng manpage. After all, running anything in a chroot jail as root is futile, no? :-) P.P.S. BTW, 1.6x rocks! /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
Hi, again. I see now that I've missed at least three things needed in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and /dev/tty10. Any hints on the exact syntax one should use with mknod in creating xconsole & tty10? Thanks, Mick /-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
Hi, all. In researching/writing the Syslog-ng coverage for the new edition of my book, I've encountered a total lack of published info, anywhere, on how to create a Syslog-ng chroot jail. So in the interests of seeding the FAQ (or at least Google), here's a procedure that works for me.
Naturally, anyone should feel free to correct anything I've gotten wrong! Any and all feedback is appreciated.
************************************************ How To Create A Chroot Jail For Syslog-ng 1.6x ************************************************
1. su to root if you're not root already
2. Create an unprivileged group-account for syslog-ng, e.g., by adding the following line to /etc/group:
syslogng:x:77:
3. Create an unprivileged system account for syslog-ng, e.g., via the following command:
useradd -d /var/syslog-ng-jail -g syslogng -r syslogng
(Note that in Linux, the "-r" flag tells useradd that this will be a system account, causing useradd to automatically set the account's shell to /bin/false and to choose an appropriately low value for its UID.)
4. Create the jail:
mkdir -p /var/syslog-ng-jail/var/log
(Our actual changed root will be /var/syslog-ng-jail, but we may as well create the var/log subdirectory at the same time)
5. At this point the whole jail should be owned by root:root, which is cool so long as the changed-root-directory itself (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But syslog-ng *will* need to create/write files in the jail's var/log subdirectory, so we need to tweak the latter's group-ownership and -permissions, like so:
chgrp syslogng /var/syslog-ng-jail/var/log chmod g+wx /var/syslog-ng-jail/var/log
6. That's it! We may now start syslog-ng like this:
syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng
The syslog-ng process will still read its config from /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), but immediately after that it will chroot itself to the specified jail.
Note, however, that the paths you specify in syslog-ng.conf "file()" statements should all be relative to the changed root. E.g., use file("/var/log/messages"), *not* file("/var/syslog-ng-jail/var/log/messages"). Any path you specify in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended to it.
Naturally, there's nothing to stop you from dropping the "var/log/" subdirectory altogether, and simply specify, e.g., file("/messages") as a destination (resulting in things being written to /var/syslog-ng-jail/messages, a less unwieldy path).
*******
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Regards, Mick
P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng manpage. After all, running anything in a chroot jail as root is futile, no? :-)
P.P.S. BTW, 1.6x rocks!
do a ls -la on the files to see the major and minor number and the type. and then SYNOPSIS mknod name b major minor mknod name c major minor mknod name p DESCRIPTION mknod makes a directory entry for a special file. OPTIONS The following options are supported: b Create a block-type special file. c Create a character-type special file. p Create a FIFO (named pipe). Regards, L. Jankok On 0, "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote: :Hi, again. I see now that I've missed at least three things needed :in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and :/dev/tty10. : :Any hints on the exact syntax one should use with mknod in creating :xconsole & tty10? : :Thanks, :Mick : :/-------------------------------------------------\ :| Michael D. (Mick) Bauer | :| Security Editor, Linux Journal | :| Dir. of Value-Subtracted Svcs., Wiremonkeys.org | :\-------------------------------------------------/ : :> Hi, all. In researching/writing the Syslog-ng coverage for the new :> edition of my book, I've encountered a total lack of published :> info, anywhere, on how to create a Syslog-ng chroot jail. So in :> the :> interests of seeding the FAQ (or at least Google), here's a :> procedure that works for me. :> :> Naturally, anyone should feel free to correct anything I've gotten :> wrong! Any and all feedback is appreciated. :> :> ************************************************ :> How To Create A Chroot Jail For Syslog-ng 1.6x :> ************************************************ :> :> 1. su to root if you're not root already :> :> 2. Create an unprivileged group-account for syslog-ng, e.g., by :> adding the following line to /etc/group: :> :> syslogng:x:77: :> :> 3. Create an unprivileged system account for syslog-ng, e.g., via :> the following command: :> :> useradd -d /var/syslog-ng-jail -g syslogng -r syslogng :> :> (Note that in Linux, the "-r" flag tells useradd that this will be :> a system account, causing useradd to automatically set the :> account's shell to /bin/false and to choose an appropriately low :> value for its UID.) :> :> 4. Create the jail: :> :> mkdir -p /var/syslog-ng-jail/var/log :> :> (Our actual changed root will be /var/syslog-ng-jail, but we may :> as well create the var/log subdirectory at the same time) :> :> 5. At this point the whole jail should be owned by root:root, :> which is cool so long as the changed-root-directory itself :> (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But :> syslog-ng *will* need to create/write files in the jail's var/log :> subdirectory, so we need to tweak the latter's group-ownership and :> -permissions, like so: :> :> chgrp syslogng /var/syslog-ng-jail/var/log :> chmod g+wx /var/syslog-ng-jail/var/log :> :> 6. That's it! We may now start syslog-ng like this: :> :> syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng :> :> The syslog-ng process will still read its config from :> /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), :> but immediately after that it will chroot itself to the specified :> jail. :> :> Note, however, that the paths you specify in syslog-ng.conf :> "file()" statements should all be relative to the changed root. :> E.g., use :> file("/var/log/messages"), *not* :> file("/var/syslog-ng-jail/var/log/messages"). Any path you specify :> in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended :> to it. :> :> Naturally, there's nothing to stop you from dropping the :> "var/log/" subdirectory altogether, and simply specify, e.g., :> file("/messages") as a destination (resulting in things being :> written to :> /var/syslog-ng-jail/messages, a less unwieldy path). :> :> ******* :> :> So far I haven't noticed that anything else needs to be added to :> the chroot jail (e.g., stuff from /dev or /etc), but if anyone :> knows :> differently please speak up! :> :> Regards, :> Mick :> :> P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng :> manpage. After all, running anything in a chroot jail as root is :> futile, no? :-) :> :> P.P.S. BTW, 1.6x rocks! : : : :_______________________________________________ :syslog-ng maillist - syslog-ng@lists.balabit.hu :https://lists.balabit.hu/mailman/listinfo/syslog-ng :Frequently asked questions at http://www.campin.net/syslog-ng/faq.html :
On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Mick, It's been awhile since I last setup syslog-ng in a chroot jail, but according to my notes I did the following on a recent Linux box: o copied the follow files to /path/to/chroot/lib: libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 libnsl.so.2 libc.so.6 ld-linux.so.2 the first of which, being the one that seemed to actually be required for correct operation in my case. I believe the others were just referenced libraries, but not actually called. o copied the following to /path/to/chroot/etc nsswitch.conf resolv.conf `grep syslogng passwd` `grep syslogng group` the last two being whatever user/group you used to run syslog-ng as. John
Thanks! I'll post a revised procedure later this week -- replies have been trickling in. Cheers, Mick
On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Mick,
It's been awhile since I last setup syslog-ng in a chroot jail, but according to my notes I did the following on a recent Linux box:
o copied the follow files to /path/to/chroot/lib:
libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 libnsl.so.2 libc.so.6 ld-linux.so.2
the first of which, being the one that seemed to actually be required for correct operation in my case. I believe the others were just referenced libraries, but not actually called.
o copied the following to /path/to/chroot/etc
nsswitch.conf resolv.conf `grep syslogng passwd` `grep syslogng group`
the last two being whatever user/group you used to run syslog-ng as.
John _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
Hello Mick, If you have another version of this you'd like me to post, let me know. I'm in a FAQ updating mood (I'm supposed to be writing my book so for some reason this has my attention instead, man I'm lame). On Mon, Aug 16, 2004 at 12:55:30PM -0500, Michael D. (Mick) Bauer wrote:
Thanks! I'll post a revised procedure later this week -- replies have been trickling in.
Cheers, Mick
On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Mick,
It's been awhile since I last setup syslog-ng in a chroot jail, but according to my notes I did the following on a recent Linux box:
o copied the follow files to /path/to/chroot/lib:
libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 libnsl.so.2 libc.so.6 ld-linux.so.2
the first of which, being the one that seemed to actually be required for correct operation in my case. I believe the others were just referenced libraries, but not actually called.
o copied the following to /path/to/chroot/etc
nsswitch.conf resolv.conf `grep syslogng passwd` `grep syslogng group`
the last two being whatever user/group you used to run syslog-ng as.
John _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Nate God does not play dice. -- Einstein
Oops I meant to send this directly to Mick, now I'm really LAME! :) On Mon, Jan 17, 2005 at 04:27:57PM -0800, Nate Campi wrote:
Hello Mick,
If you have another version of this you'd like me to post, let me know. I'm in a FAQ updating mood (I'm supposed to be writing my book so for some reason this has my attention instead, man I'm lame).
On Mon, Aug 16, 2004 at 12:55:30PM -0500, Michael D. (Mick) Bauer wrote:
Thanks! I'll post a revised procedure later this week -- replies have been trickling in.
Cheers, Mick
On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Mick,
It's been awhile since I last setup syslog-ng in a chroot jail, but according to my notes I did the following on a recent Linux box:
o copied the follow files to /path/to/chroot/lib:
libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 libnsl.so.2 libc.so.6 ld-linux.so.2
the first of which, being the one that seemed to actually be required for correct operation in my case. I believe the others were just referenced libraries, but not actually called.
o copied the following to /path/to/chroot/etc
nsswitch.conf resolv.conf `grep syslogng passwd` `grep syslogng group`
the last two being whatever user/group you used to run syslog-ng as.
John _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Nate
God does not play dice. -- Einstein
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Nate "PROGRAM - n. A magic spell cast over a computer allowing it to turn one's input into error messages. v. tr.- To engage in a pastime similar to banging one's head against a wall, but with fewer opportunities for reward." - Unknown
Hi, Nate et al. (No problem blasting this to the whole list -- my procedure is for everyone's benefit/review/amusement :-) Here's the version that just went to press in the 2nd edition of my book (re-titled "Linux Server Security, 2nd Edition"). It worked for me through what I hope was thorough testing, but if I've gotten anything wrong, please let me know -- I've got an Errata website. Regards to all, Mick ***** Building a chroot jail for Syslog-ng To set up a nonprivileged account, a nonprivileged group, and a chroot jail for Syslog-ng, follow this procedure: 1. su to root if you're not root already 2. Create an unprivileged group-account for Syslog-ng, e.g., by adding the following line to /etc/group: syslogng:x:77: 3. Create an unprivileged system account for syslog-ng, e.g., via the following command: bash-# useradd -d /var/logjail -g syslogng -r syslogng (Note that in Linux, the "-r" flag tells useradd that this will be a system account, causing useradd to automatically set the account's shell to /bin/false and to choose an appropriately low value for its UID.) 4. Create the jail: bash-# mkdir -p /var/logjail/var/log bash-# mkdir -p /var/logjail/etc/syslog-ng bash-# mkdir /var/logjail/dev bash-# mkdir /var/logjail/lib (Our actual changed root will be /var/log-jail, but it needs to contain some subdirectories) 5. Move syslog-ng.conf into the jail, and turn its old location into a symbolic link: bash-# cd /etc/syslog-ng bash-# mv ./syslog-ng.conf /var/logjail/etc/syslog-ng bash-# ln -s /var/logjail/etc/syslog-ng/syslog-ng.conf \ syslog-ng.conf 6. Create jailed /dev/xconsole and /dev/tty10 devices: bash-# cd /var/logjail/dev bash-# mknod -m 0660 xconsole p bash-# mknod -m 0660 tty10 c 4 10 bash-# chgrp syslogng ./xconsole ./tty10 7. Copy some things bash-# cp /etc/localtime /var/logjail/etc bash-# cp /etc/nsswitch.conf /var/logjail/etc bash-# cp /etc/resolv.conf /var/logjail/etc bash-# grep syslogng /etc/passwd > /var/logjail/etc/passwd bash-# grep syslogng /etc/group > /var/logjail/etc/group bash-# cp /lib/libnss.so.2 /var/logjail/lib 8. At this point the whole jail should be owned by the user root and the group root, which is cool so long as the chroot directory itself (/var/logjail/) is "other-executable," e.g., drwxr-xr-x. But Syslog-ng must be able to create/write files in the jail's var/log/ subdirectory, so we need to tweak the latter's group-ownership and -permissions, like so: bash-# chgrp syslogng /var/logjail/var/log bash-# chmod g+wx /var/logjail/var/log 9. That's it! We may now start Syslog-ng with the flags -C /var/logjail -u syslogng -g syslogng The master syslog-ng process will still read its config from /etc/syslog-ng/syslog-ng.conf (not /var/logjail/etc/...), but immediately after that it will chroot itself to the specified jail. Note, however, that the paths you specify in syslog-ng.conf "file()" statements should all be relative to the changed root. In other words, use file("/var/log/messages"), not file("/var/logjail/var/log/messages"). Any path you specify in syslog-ng.conf will, in practical terms, end up with /var/logjail automatically prepended to it. *****
Hello Mick,
If you have another version of this you'd like me to post, let me know. I'm in a FAQ updating mood (I'm supposed to be writing my book so for some reason this has my attention instead, man I'm lame).
On Mon, Aug 16, 2004 at 12:55:30PM -0500, Michael D. (Mick) Bauer wrote:
Thanks! I'll post a revised procedure later this week -- replies have been trickling in.
Cheers, Mick
On Sun, 15 Aug 2004 14:21:27 -0500 (CDT) "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
So far I haven't noticed that anything else needs to be added to the chroot jail (e.g., stuff from /dev or /etc), but if anyone knows differently please speak up!
Mick,
It's been awhile since I last setup syslog-ng in a chroot jail, but according to my notes I did the following on a recent Linux box:
o copied the follow files to /path/to/chroot/lib:
libnss_dns.so.2 libnss_files.so.2 libresolv.so.2 libnsl.so.2 libc.so.6 ld-linux.so.2
the first of which, being the one that seemed to actually be required for correct operation in my case. I believe the others were just referenced libraries, but not actually called.
o copied the following to /path/to/chroot/etc
nsswitch.conf resolv.conf `grep syslogng passwd` `grep syslogng group`
the last two being whatever user/group you used to run syslog-ng as.
John _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
-- Nate
God does not play dice. -- Einstein
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\ | Michael D. (Mick) Bauer | | Security Editor, Linux Journal | | Dir. of Value-Subtracted Svcs., Wiremonkeys.org | \-------------------------------------------------/
On Tue, Jan 18, 2005 at 10:18:44AM -0600, Michael D. (Mick) Bauer wrote:
Hi, Nate et al. (No problem blasting this to the whole list -- my procedure is for everyone's benefit/review/amusement :-)
Here's the version that just went to press in the 2nd edition of my book (re-titled "Linux Server Security, 2nd Edition"). It worked for me through what I hope was thorough testing, but if I've gotten anything wrong, please let me know -- I've got an Errata website.
Thanks Mick, added to the FAQ link section: http://www.campin.net/syslog-ng/chroot-jail.html -- Nate Radioactive cats have 18 half-lives.
On Tue, Jan 18, 2005 at 10:18:44AM -0600, Michael D. (Mick) Bauer wrote: [..]
It worked for me through what I hope was thorough testing, but if I've gotten anything wrong, please let me know -- I've got an Errata website. [..]
One minor thing to consider: If you use logrotate/newsyslog to rotate logfiles things will break if you read from 514/udp/tcp or any other privilleged sources (like /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles. Those resources are no longer available once you dropped privilleges and went to jail. Ad hoc solution: - Take syslog-ng out of log rotation. - expand logfile names with $YEAR-$MONTH-$DAY variables - use find in a cron job to compress/remove logfiles - avoid kill -HUP, restart syslog-ng when your config changes -- Wolfgang Braun, Dipl.-Inform. (FH) <wolfgang.braun@gmx.de> gpg-key: 1024D/4B32CE55 gpg-fingerprint: 7F0F DE82 94A5 B476 0E08 4972 AC95 31A3 4B32 CE55
On Sun, 2005-01-23 at 22:03 +0100, Wolfgang Braun wrote:
On Tue, Jan 18, 2005 at 10:18:44AM -0600, Michael D. (Mick) Bauer wrote:
[..]
It worked for me through what I hope was thorough testing, but if I've gotten anything wrong, please let me know -- I've got an Errata website. [..]
One minor thing to consider:
If you use logrotate/newsyslog to rotate logfiles things will break if you read from 514/udp/tcp or any other privilleged sources (like /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles. Those resources are no longer available once you dropped privilleges and went to jail.
/proc can be mounted inside the jail, so /proc/kmsg can be reopened while inside the jail. A possible solution for /dev/log is to create it inside the jail and make a symbolic link from outside pointing to inside. There are no problems with opening TCP/UDP sources inside the jail. -- Bazsi
On Mon, Jan 24, 2005 at 10:04:28AM +0100, Balazs Scheidler wrote:
On Sun, 2005-01-23 at 22:03 +0100, Wolfgang Braun wrote:
If you use logrotate/newsyslog to rotate logfiles things will break if you read from 514/udp/tcp or any other privilleged sources (like /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles. Those resources are no longer available once you dropped privilleges and went to jail.
/proc can be mounted inside the jail, so /proc/kmsg can be reopened while inside the jail.
Good point, didn't think of that
A possible solution for /dev/log is to create it inside the jail and make a symbolic link from outside pointing to inside.
There are no problems with opening TCP/UDP sources inside the jail.
Not with the jail itself but I cannot bind 514 when I dropped root privilleges. Thanks for the reply, have to think it over again :) -- Wolfgang Braun, Dipl.-Inform. (FH) <wolfgang.braun@gmx.de> gpg-key: 1024D/4B32CE55 gpg-fingerprint: 7F0F DE82 94A5 B476 0E08 4972 AC95 31A3 4B32 CE55
On Mon, 2005-01-24 at 11:19 +0100, Wolfgang Braun wrote:
On Mon, Jan 24, 2005 at 10:04:28AM +0100, Balazs Scheidler wrote:
On Sun, 2005-01-23 at 22:03 +0100, Wolfgang Braun wrote:
If you use logrotate/newsyslog to rotate logfiles things will break if you read from 514/udp/tcp or any other privilleged sources (like /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles. Those resources are no longer available once you dropped privilleges and went to jail.
/proc can be mounted inside the jail, so /proc/kmsg can be reopened while inside the jail.
Good point, didn't think of that
A possible solution for /dev/log is to create it inside the jail and make a symbolic link from outside pointing to inside.
There are no problems with opening TCP/UDP sources inside the jail.
Not with the jail itself but I cannot bind 514 when I dropped root privilleges.
you can use restrict to give CAP_SYS_BIND capability to the syslog-ng process (see http://www.balabit.com/downloads/restrict/) so you can bind to port 514 though otherwise not running as root. -- Bazsi
participants (6)
-
Balazs Scheidler
-
John Kristoff
-
L. Jankok
-
Michael D. (Mick) Bauer
-
Nate Campi
-
Wolfgang Braun