Probably written near 2005.
Chroot your UltimateIRCd on OpenBSD COPYRIGHT Lars Sommer, [email protected] LICENSE: This document is free. You may do with it what you want, as long as you keep this copyright and license notice unmodified. If this document helps you, and you like it, please give me a beer, if we ever meet. This guide is for UltimateIRCd 3.0.1 running on OpenBSD 3.7 This file contains: 1.0 Intro 1.1 What you need 1.2 What is chroot? 1.3 Why should I use it? 2.0 Creating the environment 2.1 Adding user and group 2.2 Making chroot environment 2.3 Making dev-fs for it (only openbsd) 3.0 Installing the ircd in the jail 3.1 Compiling UltimateIRCd 3.2 Moving it to the chroot jail 3.3 Testing it 4.0 Scripts for start and stop 1.0 Intro 1.1 What you need A working UltimateIRCd 3.0.1 (It should work with other versions also, but not tested) A system with chroot. I use OpenBSD, but it should work fine in others as well. Some general unix-permission and -command knowledge If I forget some chmod's in this guide, fix it yourself? 1.2 What is chroot? This is chroot: http://en.wikipedia.org/wiki/Chroot http://en.wikipedia.org/wiki/Chroot_jail http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&apropos=0 &sektion=8&manpath=OpenBSD+Current&arch=i386&format=html If your system have the command "chroot", do a "man chroot". 1.3 Why should I use it? I think you should chroot on UltimateIRCd, because the program is not in the OpenBSD ports. Which means that the OpenBSD developers have not verified and tested the programs security. By chroot'ing it, it _should_ not be able to do much harm to the system, if any security breaks happens. 2.0 Creating the environment 2.1 Adding user and group We do not want to run the ircd as root, so let us add a user for it: useradd -c "IRCd user" -s /usr/bin/false -d /home/ircd -G ircd ircd 2.2 Making chroot environment Create the folder which is to be the root of the jail: mkdir /home/ircd Use ldd to check which libs the ircd uses: ldd /pathtoircd/bin/ircd I get these: /usr/lib/libssl.so.9.0 /usr/lib/libcrypto.so.11.0 /usr/lib/libc.so.34.2 /usr/libexec/ld.so Make folders and copy the libs to the chroot-jail: mkdir /home/ircd/usr mkdir /home/ircd/usr/lib mkdir /home/ircd/usr/libexec cp youshouldbeabletousecp We should have the user-info with into the jail, so: mkdir /home/ircd/etc grep ircd /etc/passwd > /home/ircd/etc/passwd grep ircd /etc/group > /home/ircd/etc/group We would like localtime, resolv.conf and hosts in there also: cp /etc/localtime /home/ircd/etc/ cp /etc/resolv.conf /home/ircd/etc/ cp /etc/hosts /home/ircd/etc/ 2.3 Making dev-fs for it This is only needed in OpenBSD, because OpenBSD does not allow mknod's anywhere cd /home/ircd mkdir dev dd if=/dev/zero of=devfs bs=1024 count=256 vnconfig -c -v /dev/svnd0c devfs newfs /dev/svnd0c mount /dev/svnd0c dev Now you can use mknod: (This is possibly enough on other systems than OpenBSD) cd dev mknod -m 444 arandom c 45 2 mknod -m 666 null c 2 2 3.0 Installing the ircd in the jail 3.1 Compiling UltimateIRCd I pressume you have some working ircd.conf, ircd.ini and network-file. You should be able to find another doc from me about it, if not. Got get the source-ball, untar and configure (notice the prefix, which will help us later): ./configure --prefix=/ircd --enable-openssl= Go make and make install. Copy your working conf-files to the new folder in /ircd 3.2 Moving it to the chroot jail Move the entire /ircd into /home/ircd: mv /ircd /home/ircd Now you should fix permissions in /home/ircd to something clever.. 3.3 Testing it Try to start the ircd: chroot -u ircd /home/ircd /ircd/bin/ircd If it seems to work, try to connect to it, and see if everything is ok. 4.0 Scripts for start and stop This can go to the /etc/rc.local #ircd if [ -x /home/ircd/ircd.rc ]; then echo -n ' ircd'; /home/ircd/ircd.rc start fi This can go to the /etc/rc.shutdown #ircd if [ -x /home/ircd/ircd.rc ]; then echo -n ' ircd'; /home/ircd/ircd.rc stop fi The ircd.rc-file could look like this: #!/bin/sh ircd_start () { vnconfig -c -v /dev/svnd0c devfs newfs /dev/svnd0c mount /dev/svnd0c /home/ircd/dev mknod -m 444 /home/ircd/dev/arandom c 45 2 mknod -m 666 /home/ircd/dev/null c 2 2 chroot -u ircd /home/ircd /ircd/bin/ircd } ircd_stop () { cd /home/ircd/ircd /home/ircd/ircd/kill umount /dev/svnd0c vnconfig -u /dev/svnd0c } case "$1" in 'start') ircd_start ;; 'stop') ircd_stop ;; *) echo $"Usage: ircd.rc {start|stop}" exit 1 esac
