You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add the two new cagefsctl commands to the CLI reference table and
update the CageFS Syslog section with usage instructions for the
cagefs-no-dev-log feature flag.
Copy file name to clipboardExpand all lines: docs/cloudlinuxos/cloudlinux_os_components/README.md
+22-4Lines changed: 22 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2919,17 +2919,35 @@ add <span class="notranslate"> `clean_user_php_sessions=false` line to _/etc/sys
2919
2919
#### Syslog
2920
2920
2921
2921
2922
-
By default, <span class="notranslate"> _/dev/log_ </span> should be available inside end user's <span class="notranslate"> CageFS </span> . This is needed so that user's cronjobs and other things that user <span class="notranslate"> _dev/log_ </span> would get recorded in the system log files.
2922
+
By default, <span class="notranslate"> _/dev/log_ </span> should be available inside end user's <span class="notranslate"> CageFS </span> . This is needed so that user's cronjobs and other things that use <span class="notranslate"> _/dev/log_ </span> would get recorded in the system log files.
2923
+
2924
+
##### Disabling /dev/log in CageFS
2925
+
2926
+
When <span class="notranslate"> _/dev/log_ </span> is available inside CageFS, jailed users can write arbitrary messages to the system log (e.g. via the <span class="notranslate"> `logger` </span> binary or by writing to the socket directly), which may be used to insert or spoof log entries. To prevent this, disable <span class="notranslate"> _/dev/log_ </span> inside CageFS using the <span class="notranslate"> `cagefs-no-dev-log` </span> feature flag:
2923
2927
2924
-
This is controlled using file <span class="notranslate"> _/etc/rsyslog.d/schroot.conf_ </span> with the following content:
To remove presence of <span class="notranslate"> _dev/log_ </span> inside CageFS, remove that file, and restart rsyslog service.
2935
+
This command removes <span class="notranslate"> _/dev/log_ </span> from the CageFS skeleton, updates the syslog configuration, and remounts all CageFS users. User processes inside CageFS will no longer be able to write to the system log via <span class="notranslate"> _/dev/log_ </span>.
2936
+
2937
+
To restore <span class="notranslate"> _/dev/log_ </span> in CageFS:
2938
+
2939
+
<div class="notranslate">
2940
+
2941
+
```
2942
+
cagefsctl --disable-cagefs-no-dev-log
2943
+
```
2944
+
</div>
2945
+
2946
+
These commands automatically update the syslog configuration depending on the system setup:
2947
+
2948
+
* **Legacy syslog** (systems with <span class="notranslate"> _/etc/sysconfig/syslog_ </span>): the <span class="notranslate"> `-a /usr/share/cagefs-skeleton/dev/log` </span> option is removed from or added back to <span class="notranslate"> `SYSLOGD_OPTIONS` </span>, and the syslog service is restarted.
2949
+
* **rsyslog** (systems with <span class="notranslate"> _/etc/rsyslog.conf_ </span>): the drop-in config file <span class="notranslate"> _/etc/rsyslog.d/cagefs-syslog-socket.conf_ </span> (containing <span class="notranslate"> `$AddUnixListenSocket /usr/share/cagefs-skeleton/dev/log` </span>) is deleted or recreated, and the rsyslog service is restarted.
2950
+
* **systemd-journal** (systems where <span class="notranslate"> _/dev/log_ </span> is a symlink to <span class="notranslate"> _/run/systemd/journal/dev-log_ </span>): the socket is mounted directly into the CageFS skeleton as a hardlink; no syslog or rsyslog configuration changes are needed.
0 commit comments