[syslog-ng]replacing Linux klogd by a chrooted syslog-ng running as a non root user

Balazs Scheidler bazsi@balabit.hu
Thu, 7 Nov 2002 16:02:55 +0100 

On Thu, Nov 07, 2002 at 03:10:50PM +0100, Guillaume LACHENAL wrote:
> Balazs Scheidler wrote :
> > On Thu, Nov 07, 2002 at 02:25:44PM +0100, Guillaume LACHENAL wrote:

> > configuration initialization is performed prior to chroot-ing, so 
> syslog-ng
> > first opens the necessary devices, and then chroots itself.
> 
> OK. So if I understand when using syslog-ng '-C' options there is no need
> that $JAIL/etc contains syslog-ng.conf. It can stay in /etc

yes.

>  
> > you cannot restart the daemon though, unless you do the following:
> 
> OK I've seen it. You make me not to create a new thread on the list ;-)
> 
> Is it for the same reasons that I have (almost) every time to send SIGTERM 
> *twice*
> for syslog-ng to terminate ?

it was a bug, and should have been fixed in latest 1.5.x release.

>  
> > - mount /proc under the chroot jail as well (can be mounted multiple 
> times)
> > - create a symlink in /dev/log to /chroot/dev/log
> > 
> > then instead of using syslog-ng's own chroot feature, use the chroot
> 
> Are you sure a chrooted process can follow symlinks outside the jail ?

it's not the chrooted process which accesses the symlink, the programs
running outside are accessing a file _in_ the chroot. (symlink in /dev/log
pointing to /chroot/dev/log)

> 
> > command, so the config initialization is performed _inside_ the jail. 
> These
> > have drawbacks as well:
> > 
> > - you need libc and other libs in the jail (while when starting from
> >   outside, these are mapped from the system at startup)
> 
> libc is also needed when using the '-C' switch !
> 
> ldd syslog-ng
>         libnsl.so.1 => /lib/libnsl.so.1 (0x00126000)
>         libc.so.6 => /lib/libc.so.6 (0x0013d000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
> 
> and I've 'discover' during my jail creation that libresolv and libnss_*
> are also needed 
> (remember the thread "chroot and hostname resolution problem [was : Re: 
> [syslog-ng]centralized loghost]")


I remember, libc itself shouldn't be needed. ldd shows what syslog-ng is
linked to, but if it started outside, it will link to /lib/libc.so.6, and
_then_ chroot itself -> no need for libc in the jail itself.

the others libresolv etc. are loaded after the chroot() call, so they must
be present in the jail as well.

try rm-ing the libc inside the jail (and only libc the others might be
needed), and start syslog-ng, it _should_ work.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1