[syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng

Michael D. (Mick) Bauer syslog-ng@lists.balabit.hu
Sun, 15 Aug 2004 14:21:27 -0500 (CDT) 

Hi, all. In researching/writing the Syslog-ng coverage for the new
edition of my book, I've encountered a total lack of published info,
anywhere, on how to create a Syslog-ng chroot jail. So in the
interests of seeding the FAQ (or at least Google), here's a
procedure that works for me.

Naturally, anyone should feel free to correct anything I've gotten
wrong! Any and all feedback is appreciated.

************************************************
 How To Create A Chroot Jail For Syslog-ng 1.6x
************************************************

1. su to root if you're not root already

2. Create an unprivileged group-account for syslog-ng, e.g., by
adding the following line to /etc/group:

  syslogng:x:77:

3. Create an unprivileged system account for syslog-ng, e.g., via
the following command:

  useradd -d /var/syslog-ng-jail -g syslogng -r syslogng

(Note that in Linux, the "-r" flag tells useradd that this will be a
system account, causing useradd to automatically set the account's
shell to /bin/false and to choose an appropriately low value for its
UID.)

4. Create the jail:

  mkdir -p /var/syslog-ng-jail/var/log

(Our actual changed root will be /var/syslog-ng-jail, but we may as
well create the var/log subdirectory at the same time)

5. At this point the whole jail should be owned by root:root, which
is cool so long as the changed-root-directory itself
(/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But
syslog-ng *will* need to create/write files in the jail's var/log
subdirectory, so we need to tweak the latter's group-ownership and
-permissions, like so:

  chgrp syslogng /var/syslog-ng-jail/var/log
  chmod g+wx /var/syslog-ng-jail/var/log

6. That's it! We may now start syslog-ng like this:

  syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng

The syslog-ng process will still read its config from
/etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...), but
immediately after that it will chroot itself to the specified jail.

Note, however, that the paths you specify in syslog-ng.conf "file()"
statements should all be relative to the changed root. E.g., use
file("/var/log/messages"), *not*
file("/var/syslog-ng-jail/var/log/messages"). Any path you specify
in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended
to it.

Naturally, there's nothing to stop you from dropping the "var/log/"
subdirectory altogether, and simply specify, e.g., file("/messages")
as a destination (resulting in things being written to
/var/syslog-ng-jail/messages, a less unwieldy path).

*******

So far I haven't noticed that anything else needs to be added to the
chroot jail (e.g., stuff from /dev or /etc), but if anyone knows
differently please speak up!

Regards,
Mick

P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng
manpage. After all, running anything in a chroot jail as root is
futile, no? :-)

P.P.S. BTW, 1.6x rocks!

/-------------------------------------------------\
| Michael D. (Mick) Bauer                         |
| Security Editor, Linux Journal                  |
| Dir. of Value-Subtracted Svcs., Wiremonkeys.org |
\-------------------------------------------------/