[syslog-ng]Re: FAQ-seeding: chroot jail procedure for Syslog-ng

L. Jankok syslog-ng@lists.balabit.hu
Mon, 16 Aug 2004 13:04:59 +0200


do a ls -la on the files to see the major and minor
number and the type.

and then

SYNOPSIS
     mknod name b major minor

     mknod name c major minor

     mknod name p

DESCRIPTION
     mknod makes a directory entry for a special file.

OPTIONS
     The following options are supported:

     b     Create a block-type special file.

     c     Create a character-type special file.

     p     Create a FIFO (named pipe).

Regards,

L. Jankok

On  0, "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
:Hi, again. I see now that I've missed at least three things needed
:in my chroot jail: /etc/syslog-ng/syslog-ng.conf, /dev/xconsole, and
:/dev/tty10.
:
:Any hints on the exact syntax one should use with mknod in creating
:xconsole & tty10?
:
:Thanks,
:Mick
:
:/-------------------------------------------------\
:| Michael D. (Mick) Bauer                         |
:| Security Editor, Linux Journal                  |
:| Dir. of Value-Subtracted Svcs., Wiremonkeys.org |
:\-------------------------------------------------/
:
:> Hi, all. In researching/writing the Syslog-ng coverage for the new
:> edition of my book, I've encountered a total lack of published
:> info, anywhere, on how to create a Syslog-ng chroot jail. So in
:> the
:> interests of seeding the FAQ (or at least Google), here's a
:> procedure that works for me.
:>
:> Naturally, anyone should feel free to correct anything I've gotten
:> wrong! Any and all feedback is appreciated.
:>
:> ************************************************
:>  How To Create A Chroot Jail For Syslog-ng 1.6x
:> ************************************************
:>
:> 1. su to root if you're not root already
:>
:> 2. Create an unprivileged group-account for syslog-ng, e.g., by
:> adding the following line to /etc/group:
:>
:>   syslogng:x:77:
:>
:> 3. Create an unprivileged system account for syslog-ng, e.g., via
:> the following command:
:>
:>   useradd -d /var/syslog-ng-jail -g syslogng -r syslogng
:>
:> (Note that in Linux, the "-r" flag tells useradd that this will be
:> a system account, causing useradd to automatically set the
:> account's shell to /bin/false and to choose an appropriately low
:> value for its UID.)
:>
:> 4. Create the jail:
:>
:>   mkdir -p /var/syslog-ng-jail/var/log
:>
:> (Our actual changed root will be /var/syslog-ng-jail, but we may
:> as well create the var/log subdirectory at the same time)
:>
:> 5. At this point the whole jail should be owned by root:root,
:> which is cool so long as the changed-root-directory itself
:> (/var/syslog-ng-jail) is "other-executable," e.g., rwxr-xr-x. But
:> syslog-ng *will* need to create/write files in the jail's var/log
:> subdirectory, so we need to tweak the latter's group-ownership and
:> -permissions, like so:
:>
:>   chgrp syslogng /var/syslog-ng-jail/var/log
:>   chmod g+wx /var/syslog-ng-jail/var/log
:>
:> 6. That's it! We may now start syslog-ng like this:
:>
:>   syslog-ng -C /var/syslog-ng-jail -u syslogng -g syslogng
:>
:> The syslog-ng process will still read its config from
:> /etc/syslog-ng/syslog-ng.conf (not /var/syslog-ng-jail/etc/...),
:> but immediately after that it will chroot itself to the specified
:> jail.
:>
:> Note, however, that the paths you specify in syslog-ng.conf
:> "file()" statements should all be relative to the changed root.
:> E.g., use
:> file("/var/log/messages"), *not*
:> file("/var/syslog-ng-jail/var/log/messages"). Any path you specify
:> in syslog-ng.conf will end up with "/var/syslog-ng-jail" prepended
:> to it.
:>
:> Naturally, there's nothing to stop you from dropping the
:> "var/log/" subdirectory altogether, and simply specify, e.g.,
:> file("/messages") as a destination (resulting in things being
:> written to
:> /var/syslog-ng-jail/messages, a less unwieldy path).
:>
:> *******
:>
:> So far I haven't noticed that anything else needs to be added to
:> the chroot jail (e.g., stuff from /dev or /etc), but if anyone
:> knows
:> differently please speak up!
:>
:> Regards,
:> Mick
:>
:> P.S. Baszi, you really ought to add "-u" & "-g" to the syslog-ng
:> manpage. After all, running anything in a chroot jail as root is
:> futile, no? :-)
:>
:> P.P.S. BTW, 1.6x rocks!
:
:
:
:_______________________________________________
:syslog-ng maillist  -  syslog-ng@lists.balabit.hu
:https://lists.balabit.hu/mailman/listinfo/syslog-ng
:Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
: