[syslog-ng]Re: FAQ-seeding: chroot jail procedure for Syslog-ng

Michael D. (Mick) Bauer syslog-ng@lists.balabit.hu
Mon, 16 Aug 2004 05:50:07 -0500 (CDT)


Hi, again. I see now that I've missed at least three things needed
in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and
/dev/tty10.

Any hints on the exact syntax one should use with mknod in creating
xconsole & tty10?

Thanks,
Mick

/-------------------------------------------------\
| Michael D. (Mick) Bauer                         |
| Security Editor, Linux Journal                  |
| Dir. of Value-Subtracted Svcs., Wiremonkeys.org |
\-------------------------------------------------/

> Hi, all. In researching/writing the Syslog-ng coverage for the new
> edition of my book, I've encountered a total lack of published
> info, anywhere, on how to create a Syslog-ng chroot jail. So in
> the
> interests of seeding the FAQ (or at least Google), here's a
> procedure that works for me.
>
> Naturally, anyone should feel free to correct anything I've gotten
> wrong! Any and all feedback is appreciated.
>
> ************************************************
>  How To Create A Chroot Jail For Syslog-ng 1.6x
> ************************************************
>
> 1. su to root if you're not root already
>
> 2. Create an unprivileged group-account for syslog-ng, e.g., by
> adding the following line to /etc/group:
>
>   syslogng:x:77:
>
> 3. Create an unprivileged system account for syslog-ng, e.g., via
> the following command:
>
>   useradd -d /var/syslog-ng-jail -g syslogng -r syslogng
>
> (Note that in Linux, the "-r" flag tells useradd that this will be
> a system account, causing useradd to automatically set the
> account's shell to /bin/false and to choose an appropriately low
> value for its UID.)
>
> 4. Create the jail:
>
>   mkdir -p /var/syslog-ng-jail/var/log
>
> (Our actual changed root will be /var/syslog-ng-jail, but we may
> as well create the var/log subdirectory at the same time)
>
> 5. At this point the whole jail should be owned by root:root,
> which is cool so long as the changed-root-directory itself
> (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But
> syslog-ng *will* need to create/write files in the jail's var/log
> subdirectory, so we need to tweak the latter's group-ownership and
> -permissions, like so:
>
>   chgrp syslogng /var/syslog-ng-jail/var/log
>   chmod g+wx /var/syslog-ng-jail/var/log
>
> 6. That's it! We may now start syslog-ng like this:
>
>   syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng
>
> The syslog-ng process will still read its config from
> /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...),
> but immediately after that it will chroot itself to the specified
> jail.
>
> Note, however, that the paths you specify in syslog-ng.conf
> "file()" statements should all be relative to the changed root.
> E.g., use
> file("/var/log/messages"), *not*
> file("/var/syslog-ng-jail/var/log/messages"). Any path you specify
> in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended
> to it.
>
> Naturally, there's nothing to stop you from dropping the
> "var/log/" subdirectory altogether, and simply specify, e.g.,
> file("/messages") as a destination (resulting in things being
> written to
> /var/syslog-ng-jail/messages, a less unwieldy path).
>
> *******
>
> So far I haven't noticed that anything else needs to be added to
> the chroot jail (e.g., stuff from /dev or /etc), but if anyone
> knows
> differently please speak up!
>
> Regards,
> Mick
>
> P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng
> manpage. After all, running anything in a chroot jail as root is
> futile, no? :-)
>
> P.P.S. BTW, 1.6x rocks!