[syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng

Balazs Scheidler syslog-ng@lists.balabit.hu
Mon, 24 Jan 2005 14:13:44 +0100


On Mon, 2005-01-24 at 11:19 +0100, Wolfgang Braun wrote:
> On Mon, Jan 24, 2005 at 10:04:28AM +0100, Balazs Scheidler wrote:
> > On Sun, 2005-01-23 at 22:03 +0100, Wolfgang Braun wrote:
> > > 
> > > If you use logrotate/newsyslog to rotate logfiles things will break if
> > > you read from 514/udp/tcp or any other privilleged sources (like
> > > /proc/kmsg on Linux) and send SIGHUP to syslog-ng to restart logfiles.
> > > Those resources are no longer available once you dropped privilleges and
> > > went to jail. 
> > 
> > /proc can be mounted inside the jail, so /proc/kmsg can be reopened
> > while inside the jail.
> 
> Good point, didn't think of that 
>  
> > A possible solution for /dev/log is to create it inside the jail and
> > make a symbolic link from outside pointing to inside.
> > 
> > There are no problems with opening TCP/UDP sources inside the jail.
> 
> Not with the jail itself but I cannot bind 514 when I dropped root
> privilleges.

you can use restrict to give CAP_SYS_BIND capability to the syslog-ng
process (see http://www.balabit.com/downloads/restrict/) so you can bind
to port 514 though otherwise not running as root.

-- 
Bazsi