Web lists-archives.com

Re: Systemd with chroot and under unprivileged user




On Tue, May 07, 2019 at 11:08:38AM +0200, Peter Viskup wrote:
> Running Debian9 with systemd 241-3~bpo9+1 from backports.
> Having trouble to start rsyslog service in chroot jail using the systemd
> service file with RootDirectory and User settings.
> Setting AmbientCapabilities=CAP_SYS_CHROOT does not help and still getting
> following errors:
> 
>  rsyslog-chroot@inst.service: Changing to the requested working directory
> failed: Operation not permitted
>  rsyslog-chroot@inst.service: Failed at step CHROOT spawning
> /usr/sbin/rsyslogd: Operation not permitted

This seems to indicate that rsyslogd is trying to chdir() to some
directory it is not allowed to...

>  rsyslog-chroot@inst.service: Main process exited, code=exited,
> status=210/CHROOT
> 
> Any idea how to get it working properly? Starting without the User setting
> is working just fine.

No idea about systemd, but rsyslogd man page says:

  OPTIONS

    [...]
    -C  This prevents rsyslogd from changing to the root directory.
        This is almost never a good idea in production use. This
        option was introduced  in  support  of  the internal testbed.

So perhaps it's just rsyslogd trying (and failing) to chdir() to /
while in a chroot jail (surprise?). A run under strace might confirm
that. Setting option -C might help in debugging that.

Whether (assuming my shot in the dark is a hit) you /want/ to do
something the doc qualifies as being "almost never a good idea"
would be left as an exercise to the reader ;-)

HTH
-- t

Attachment: signature.asc
Description: Digital signature