[syslog-ng]replacing Linux klogd by a chrooted syslog-ng running as a non root user

Guillaume LACHENAL glachenal@on-x.com
Thu, 7 Nov 2002 16:31:45 +0100


Balazs Scheidler wrote :

> On Thu, Nov 07, 2002 at 03:10:50PM +0100, Guillaume LACHENAL wrote:

> > Is it for the same reasons that I have (almost) every time to send 
SIGTERM 
> > *twice*
> > for syslog-ng to terminate ?
> 
> it was a bug, and should have been fixed in latest 1.5.x release.

OK. I'll upgrade when the best of syslog-ng will be configured quite fine
on the box ;-)
 
> > > then instead of using syslog-ng's own chroot feature, use the chroot
> > 
> > Are you sure a chrooted process can follow symlinks outside the jail ?
> 
> it's not the chrooted process which accesses the symlink, the programs
> running outside are accessing a file _in_ the chroot. (symlink in 
/dev/log
> pointing to /chroot/dev/log)

Could you please explain. It works as you say with ntpd chrooted on my 
box.
But, after 'chroot /chroot /sbin/ntpd' the running ntpd only see what's
under '/chroot/'. How it works when ntpd attempt to log something ?
(to /chroot/dev/log)

> I remember, libc itself shouldn't be needed. ldd shows what syslog-ng is
> linked to, but if it started outside, it will link to /lib/libc.so.6, 
and
> _then_ chroot itself -> no need for libc in the jail itself.
> 
> the others libresolv etc. are loaded after the chroot() call, so they 
must
> be present in the jail as well.
> 
> try rm-ing the libc inside the jail (and only libc the others might be
> needed), and start syslog-ng, it _should_ work.

Yes, it works