[syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng

Michael D. (Mick) Bauer syslog-ng@lists.balabit.hu
Tue, 18 Jan 2005 10:18:44 -0600 (CST)


Hi, Nate et al. (No problem blasting this to the whole list -- my
procedure is for everyone's benefit/review/amusement :-)

Here's the version that just went to press in the 2nd edition of my
book (re-titled "Linux Server Security, 2nd Edition"). It worked for
me through what I hope was thorough testing, but if I've gotten
anything wrong, please let me know -- I've got an Errata website.

Regards to all,
Mick

*****

Building a chroot jail for Syslog-ng

To set up a nonprivileged account, a nonprivileged group, and a
chroot jail for Syslog-ng, follow this procedure:

1.	su to root if you're not root already

2.	Create an unprivileged group-account for Syslog-ng, e.g., by
adding the following line to /etc/group:

   syslogng:x:77:

3.	Create an unprivileged system account for syslog-ng, e.g., via
the following command:

   bash-# useradd -d /var/logjail -g syslogng -r syslogng

(Note that in Linux, the "-r" flag tells useradd that this will be a
system account, causing useradd to automatically set the account's
shell to /bin/false and to choose an appropriately low value for its
UID.)

4.	Create the jail:

   bash-# mkdir -p /var/logjail/var/log
   bash-# mkdir -p /var/logjail/etc/syslog-ng
   bash-# mkdir /var/logjail/dev
   bash-# mkdir /var/logjail/lib

(Our actual changed root will be /var/log-jail, but it needs to
contain some subdirectories)

5.	Move syslog-ng.conf into the jail, and turn its old location into
a symbolic link:

   bash-# cd /etc/syslog-ng
   bash-# mv ./syslog-ng.conf /var/logjail/etc/syslog-ng
   bash-# ln -s /var/logjail/etc/syslog-ng/syslog-ng.conf \
syslog-ng.conf

6.	Create jailed /dev/xconsole and /dev/tty10 devices:

   bash-# cd /var/logjail/dev
   bash-# mknod -m 0660 xconsole p
   bash-# mknod -m 0660 tty10 c 4 10
   bash-# chgrp syslogng ./xconsole ./tty10

7.	Copy some things

   bash-# cp /etc/localtime /var/logjail/etc
   bash-# cp /etc/nsswitch.conf /var/logjail/etc
   bash-# cp /etc/resolv.conf /var/logjail/etc
   bash-# grep syslogng /etc/passwd > /var/logjail/etc/passwd
   bash-# grep syslogng /etc/group > /var/logjail/etc/group
   bash-# cp /lib/libnss.so.2 /var/logjail/lib

8.	At this point the whole jail should be owned by the user root and
the group root, which is cool so long as the chroot directory itself
(/var/logjail/) is "other-executable," e.g., drwxr-xr-x. But
Syslog-ng must be able to create/write files in the jail's var/log/
subdirectory, so we need to tweak the latter's group-ownership and
-permissions, like so:

   bash-# chgrp syslogng /var/logjail/var/log
   bash-# chmod g+wx /var/logjail/var/log

9.	That's it! We may now start Syslog-ng with the flags -C
/var/logjail -u syslogng -g syslogng

The master syslog-ng process will still read its config from
/etc/syslog-ng/syslog-ng.conf (not /var/logjail/etc/...), but
immediately after that it will chroot itself to the specified jail.

Note, however, that the paths you specify in syslog-ng.conf "file()"
statements should all be relative to the changed root. In other
words, use file("/var/log/messages"), not
file("/var/logjail/var/log/messages"). Any path you specify in
syslog-ng.conf will, in practical terms, end up with /var/logjail
automatically prepended to it.

*****

> Hello Mick,
>
> If you have another version of this you'd like me to post, let me
> know. I'm in a FAQ updating mood (I'm supposed to be writing my
> book so for some reason this has my attention instead, man I'm
> lame).
>
> On Mon, Aug 16, 2004 at 12:55:30PM -0500, Michael D. (Mick) Bauer
> wrote:
>> Thanks! I'll post a revised procedure later this week -- replies
>> have been trickling in.
>>
>> Cheers,
>> Mick
>>
>> > On Sun, 15 Aug 2004 14:21:27 -0500 (CDT)
>> > "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
>> >
>> >> So far I haven't noticed that anything else needs to be added
>> to the chroot jail (e.g., stuff from /dev or /etc), but if
>> anyone knows differently please speak up!
>> >
>> > Mick,
>> >
>> > It's been awhile since I last setup syslog-ng in a chroot
>> jail, but according to my notes I did the following on a
>> recent Linux box:
>> >
>> >   o copied the follow files to /path/to/chroot/lib:
>> >
>> >     libnss_dns.so.2
>> >     libnss_files.so.2
>> >     libresolv.so.2
>> >     libnsl.so.2
>> >     libc.so.6
>> >     ld-linux.so.2
>> >
>> >     the first of which, being the one that seemed to actually
>> be required for correct operation in my case.  I believe
>> the
>> > others were just referenced libraries, but not actually
>> > called.
>> >
>> >   o copied the following to /path/to/chroot/etc
>> >
>> >     nsswitch.conf
>> >     resolv.conf
>> >     `grep syslogng passwd`
>> >     `grep syslogng group`
>> >
>> >     the last two being whatever user/group you used to run
>> > syslog-ng as.
>> >
>> > John
>> > _______________________________________________
>> > syslog-ng maillist  -  syslog-ng@lists.balabit.hu
>> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> > Frequently asked questions at
>> > http://www.campin.net/syslog-ng/faq.html
>>
>>
>> /-------------------------------------------------\
>> | Michael D. (Mick) Bauer                         |
>> | Security Editor, Linux Journal                  |
>> | Dir. of Value-Subtracted Svcs., Wiremonkeys.org |
>> \-------------------------------------------------/
>>
>>
>> _______________________________________________
>> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Frequently asked questions at
>> http://www.campin.net/syslog-ng/faq.html
>>
>
> --
> Nate
>
> God does not play dice.
>             -- Einstein
>
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html


/-------------------------------------------------\
| Michael D. (Mick) Bauer                         |
| Security Editor, Linux Journal                  |
| Dir. of Value-Subtracted Svcs., Wiremonkeys.org |
\-------------------------------------------------/