[syslog-ng]FAQ-seeding: chroot jail procedure for Syslog-ng
Michael D. (Mick) Bauer
syslog-ng@lists.balabit.hu
Tue, 18 Jan 2005 10:18:44 -0600 (CST)
Hi, Nate et al. (No problem blasting this to the whole list -- my
procedure is for everyone's benefit/review/amusement :-)
Here's the version that just went to press in the 2nd edition of my
book (re-titled "Linux Server Security, 2nd Edition"). It worked for
me through what I hope was thorough testing, but if I've gotten
anything wrong, please let me know -- I've got an Errata website.
Regards to all,
Mick
*****
Building a chroot jail for Syslog-ng
To set up a nonprivileged account, a nonprivileged group, and a
chroot jail for Syslog-ng, follow this procedure:
1. su to root if you're not root already
2. Create an unprivileged group-account for Syslog-ng, e.g., by
adding the following line to /etc/group:
syslogng:x:77:
3. Create an unprivileged system account for syslog-ng, e.g., via
the following command:
bash-# useradd -d /var/logjail -g syslogng -r syslogng
(Note that in Linux, the "-r" flag tells useradd that this will be a
system account, causing useradd to automatically set the account's
shell to /bin/false and to choose an appropriately low value for its
UID.)
4. Create the jail:
bash-# mkdir -p /var/logjail/var/log
bash-# mkdir -p /var/logjail/etc/syslog-ng
bash-# mkdir /var/logjail/dev
bash-# mkdir /var/logjail/lib
(Our actual changed root will be /var/log-jail, but it needs to
contain some subdirectories)
5. Move syslog-ng.conf into the jail, and turn its old location into
a symbolic link:
bash-# cd /etc/syslog-ng
bash-# mv ./syslog-ng.conf /var/logjail/etc/syslog-ng
bash-# ln -s /var/logjail/etc/syslog-ng/syslog-ng.conf \
syslog-ng.conf
6. Create jailed /dev/xconsole and /dev/tty10 devices:
bash-# cd /var/logjail/dev
bash-# mknod -m 0660 xconsole p
bash-# mknod -m 0660 tty10 c 4 10
bash-# chgrp syslogng ./xconsole ./tty10
7. Copy some things
bash-# cp /etc/localtime /var/logjail/etc
bash-# cp /etc/nsswitch.conf /var/logjail/etc
bash-# cp /etc/resolv.conf /var/logjail/etc
bash-# grep syslogng /etc/passwd > /var/logjail/etc/passwd
bash-# grep syslogng /etc/group > /var/logjail/etc/group
bash-# cp /lib/libnss.so.2 /var/logjail/lib
8. At this point the whole jail should be owned by the user root and
the group root, which is cool so long as the chroot directory itself
(/var/logjail/) is "other-executable," e.g., drwxr-xr-x. But
Syslog-ng must be able to create/write files in the jail's var/log/
subdirectory, so we need to tweak the latter's group-ownership and
-permissions, like so:
bash-# chgrp syslogng /var/logjail/var/log
bash-# chmod g+wx /var/logjail/var/log
9. That's it! We may now start Syslog-ng with the flags -C
/var/logjail -u syslogng -g syslogng
The master syslog-ng process will still read its config from
/etc/syslog-ng/syslog-ng.conf (not /var/logjail/etc/...), but
immediately after that it will chroot itself to the specified jail.
Note, however, that the paths you specify in syslog-ng.conf "file()"
statements should all be relative to the changed root. In other
words, use file("/var/log/messages"), not
file("/var/logjail/var/log/messages"). Any path you specify in
syslog-ng.conf will, in practical terms, end up with /var/logjail
automatically prepended to it.
*****
> Hello Mick,
>
> If you have another version of this you'd like me to post, let me
> know. I'm in a FAQ updating mood (I'm supposed to be writing my
> book so for some reason this has my attention instead, man I'm
> lame).
>
> On Mon, Aug 16, 2004 at 12:55:30PM -0500, Michael D. (Mick) Bauer
> wrote:
>> Thanks! I'll post a revised procedure later this week -- replies
>> have been trickling in.
>>
>> Cheers,
>> Mick
>>
>> > On Sun, 15 Aug 2004 14:21:27 -0500 (CDT)
>> > "Michael D. (Mick) Bauer" <darth.elmo@wiremonkeys.org> wrote:
>> >
>> >> So far I haven't noticed that anything else needs to be added
>> to the chroot jail (e.g., stuff from /dev or /etc), but if
>> anyone knows differently please speak up!
>> >
>> > Mick,
>> >
>> > It's been awhile since I last setup syslog-ng in a chroot
>> jail, but according to my notes I did the following on a
>> recent Linux box:
>> >
>> > o copied the follow files to /path/to/chroot/lib:
>> >
>> > libnss_dns.so.2
>> > libnss_files.so.2
>> > libresolv.so.2
>> > libnsl.so.2
>> > libc.so.6
>> > ld-linux.so.2
>> >
>> > the first of which, being the one that seemed to actually
>> be required for correct operation in my case. I believe
>> the
>> > others were just referenced libraries, but not actually
>> > called.
>> >
>> > o copied the following to /path/to/chroot/etc
>> >
>> > nsswitch.conf
>> > resolv.conf
>> > `grep syslogng passwd`
>> > `grep syslogng group`
>> >
>> > the last two being whatever user/group you used to run
>> > syslog-ng as.
>> >
>> > John
>> > _______________________________________________
>> > syslog-ng maillist - syslog-ng@lists.balabit.hu
>> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> > Frequently asked questions at
>> > http://www.campin.net/syslog-ng/faq.html
>>
>>
>> /-------------------------------------------------\
>> | Michael D. (Mick) Bauer |
>> | Security Editor, Linux Journal |
>> | Dir. of Value-Subtracted Svcs., Wiremonkeys.org |
>> \-------------------------------------------------/
>>
>>
>> _______________________________________________
>> syslog-ng maillist - syslog-ng@lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Frequently asked questions at
>> http://www.campin.net/syslog-ng/faq.html
>>
>
> --
> Nate
>
> God does not play dice.
> -- Einstein
>
> _______________________________________________
> syslog-ng maillist - syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at
> http://www.campin.net/syslog-ng/faq.html
/-------------------------------------------------\
| Michael D. (Mick) Bauer |
| Security Editor, Linux Journal |
| Dir. of Value-Subtracted Svcs., Wiremonkeys.org |
\-------------------------------------------------/