[syslog-ng]replacing Linux klogd by a chrooted syslog-ng running as a non root user
Balazs Scheidler
bazsi@balabit.hu
Thu, 7 Nov 2002 14:46:32 +0100
On Thu, Nov 07, 2002 at 02:25:44PM +0100, Guillaume LACHENAL wrote:
> from http://www.campin.net/syslog-ng/faq.html
>
> As /proc/kmsg and /dev/log are outside the jail, is there a way to do the
> same thing with a chrooted syslog-ng ?
configuration initialization is performed prior to chroot-ing, so syslog-ng
first opens the necessary devices, and then chroots itself.
you cannot restart the daemon though, unless you do the following:
- mount /proc under the chroot jail as well (can be mounted multiple times)
- create a symlink in /dev/log to /chroot/dev/log
then instead of using syslog-ng's own chroot feature, use the chroot
command, so the config initialization is performed _inside_ the jail. These
have drawbacks as well:
- you need libc and other libs in the jail (while when starting from
outside, these are mapped from the system at startup)
- /proc might provide too much information inside the jail so you might as
well run syslog-ng outside the jail ;)
The latter problem can be solved by restricting /proc access with a patch
like openwall, and I might provide a patch for the first, to chroot first,
and then initialize.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1