[syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng
Balazs Scheidler
syslog-ng@lists.balabit.hu
Mon, 24 Jan 2005 10:04:28 +0100
On Sun, 2005-01-23 at 22:03 +0100, Wolfgang Braun wrote:
> On Tue, Jan 18, 2005 at 10:18:44AM -0600, Michael D. (Mick) Bauer wrote:
>
> [..]
> > It worked for me through what I hope was thorough testing, but if I've
> > gotten anything wrong, please let me know -- I've got an Errata
> > website.
> [..]
>
> One minor thing to consider:
>
> If you use logrotate/newsyslog to rotate logfiles things will break if
> you read from 514/udp/tcp or any other privilleged sources (like
> /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles.
> Those resources are no longer available once you dropped privilleges and
> went to jail.
/proc can be mounted inside the jail, so /proc/kmsg can be reopened
while inside the jail.
A possible solution for /dev/log is to create it inside the jail and
make a symbolic link from outside pointing to inside.
There are no problems with opening TCP/UDP sources inside the jail.
--
Bazsi