On Tue, Nov 18, 2008 at 4:10 PM, <[EMAIL PROTECTED]> wrote: > On Tue, 18 Nov 2008, Don Jackson wrote: > >> I had the following questions: >> >> Would it be possible (optionally) to have rsyslogd chroot to a >> particular directory on startup? >> That seems the safest. One could configure a disk partition for log >> messages, configure rsyslogd to log there, > > chroot doesn't help. if you have rsyslog set to log to a seperate > partition it can only fill that partition, but it can fill _all of that > partition even if you chroot into a subdirectory on that partition.
Yes, but chrooting precludes any possibility of a rogue syslog agent filling up /other/ partitions. In the event that a security compromise were found in the rsyslogd service itself, it also confines an attacker's damage to the chrooted environment. Paired with non-root privileges, that's decent insurance against a full-on machine ownage. >> and also chroot to a directory on that partition, so if the rsyslogd >> process itself is compromised, >> it can't do other damage. > > that gives you protection if you are receiving logs from the network, but > if you are receiving logs from /dev/log (local logs) you can't go into a > chroot effectivly > >> There must be a way to have a daemon run as a non-root user, and also >> to open ports < 1024. >> This seems to be done all the time on *bsd machines: > > the POSIX standard still calls for ports < 1024 to require root to bind to > them, different systems have different ways to be non-compliant with the > standard and let you do so anyway. what OS are you using? OpenBSD has solved problems like this with their own daemons by following two (general) stages of startup: - Privileged, where the daemon reads its config file and opens the necessary sockets (but doesn't yet listen on them). It then chroots itself and drops its privileges: - Unprivileged, where the daemon begins communication with the rest of the environment and performing whatever job is required of it For a concise discussion of how this applies to Apache (the best explanation I've found in their docs), see: http://www.openbsd.org/faq/faq10.html#httpdchroot -HKS _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
