Computer

Chroot your UltimateIRCd on OpenBSD

Probably written near 2005.

Chroot your UltimateIRCd on OpenBSD

COPYRIGHT Lars Sommer, lasg@lasg.dk
LICENSE: This document is free. You may do with it what you want, as long as
 you keep this copyright and license notice unmodified. If this document helps
 you, and you like it, please give me a beer, if we ever meet.

This guide is for UltimateIRCd 3.0.1 running on OpenBSD 3.7

This file contains:
1.0 Intro
 1.1 What you need
 1.2 What is chroot?
 1.3 Why should I use it?
2.0 Creating the environment
 2.1 Adding user and group
 2.2 Making chroot environment
 2.3 Making dev-fs for it (only openbsd)
3.0 Installing the ircd in the jail
 3.1 Compiling UltimateIRCd 
 3.2 Moving it to the chroot jail
 3.3 Testing it
4.0 Scripts for start and stop

1.0 Intro

1.1 What you need
A working UltimateIRCd 3.0.1 
(It should work with other versions also, but not tested)
A system with chroot. I use OpenBSD, but it should work fine in others as well.
Some general unix-permission and -command knowledge 
If I forget some chmod's in this guide, fix it yourself?

1.2 What is chroot?
This is chroot:
http://en.wikipedia.org/wiki/Chroot
http://en.wikipedia.org/wiki/Chroot_jail
http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&apropos=0
&sektion=8&manpath=OpenBSD+Current&arch=i386&format=html

If your system have the command "chroot", do a "man chroot".

1.3 Why should I use it?
I think you should chroot on UltimateIRCd, because the program is not in the
 OpenBSD ports. Which means that the OpenBSD developers have not verified and
 tested the programs security.
By chroot'ing it, it _should_ not be able to do much harm to the system, if
 any security breaks happens.

2.0 Creating the environment

2.1 Adding user and group
We do not want to run the ircd as root, so let us add a user for it:
useradd -c "IRCd user" -s /usr/bin/false -d /home/ircd -G ircd ircd

2.2 Making chroot environment
Create the folder which is to be the root of the jail:
mkdir /home/ircd

Use ldd to check which libs the ircd uses:
ldd /pathtoircd/bin/ircd
I get these:
/usr/lib/libssl.so.9.0
/usr/lib/libcrypto.so.11.0
/usr/lib/libc.so.34.2
/usr/libexec/ld.so
Make folders and copy the libs to the chroot-jail:
mkdir /home/ircd/usr
mkdir /home/ircd/usr/lib
mkdir /home/ircd/usr/libexec
cp youshouldbeabletousecp

We should have the user-info with into the jail, so:
mkdir /home/ircd/etc
grep ircd /etc/passwd > /home/ircd/etc/passwd
grep ircd /etc/group > /home/ircd/etc/group

We would like localtime, resolv.conf and hosts in there also:
cp /etc/localtime /home/ircd/etc/
cp /etc/resolv.conf /home/ircd/etc/
cp /etc/hosts /home/ircd/etc/

2.3 Making dev-fs for it
This is only needed in OpenBSD, because OpenBSD does not allow mknod's anywhere

cd /home/ircd
mkdir dev
dd if=/dev/zero of=devfs bs=1024 count=256
vnconfig -c -v /dev/svnd0c devfs
newfs /dev/svnd0c
mount /dev/svnd0c dev

Now you can use mknod: (This is possibly enough on other systems than OpenBSD)

cd dev
mknod -m 444 arandom c 45 2
mknod -m 666 null c 2 2

3.0 Installing the ircd in the jail

 3.1 Compiling UltimateIRCd
I pressume you have some working ircd.conf, ircd.ini and network-file. 
You should be able to find another doc from me about it, if not.
Got get the source-ball, untar and configure (notice the prefix, which will
 help us later):
./configure --prefix=/ircd --enable-openssl=
Go make and make install.

Copy your working conf-files to the new folder in /ircd

 3.2 Moving it to the chroot jail
Move the entire /ircd into /home/ircd:
mv /ircd /home/ircd
Now you should fix permissions in /home/ircd to something clever..

 3.3 Testing it
Try to start the ircd:
chroot -u ircd /home/ircd /ircd/bin/ircd

If it seems to work, try to connect to it, and see if everything is ok.

4.0 Scripts for start and stop

This can go to the /etc/rc.local
#ircd
if [ -x /home/ircd/ircd.rc ]; then
        echo -n ' ircd';        /home/ircd/ircd.rc start
fi

This can go to the /etc/rc.shutdown
#ircd
if [ -x /home/ircd/ircd.rc ]; then
        echo -n ' ircd';        /home/ircd/ircd.rc stop
fi

The ircd.rc-file could look like this:

#!/bin/sh
ircd_start () {
        vnconfig -c -v /dev/svnd0c devfs
        newfs /dev/svnd0c
        mount /dev/svnd0c /home/ircd/dev
        mknod -m 444 /home/ircd/dev/arandom c 45 2
        mknod -m 666 /home/ircd/dev/null c 2 2
        chroot -u ircd /home/ircd /ircd/bin/ircd
}
ircd_stop () {
        cd /home/ircd/ircd
        /home/ircd/ircd/kill
        umount /dev/svnd0c
        vnconfig -u /dev/svnd0c
}
case "$1" in
  'start')
        ircd_start   
        ;;
  'stop')
        ircd_stop    
        ;;
 *)
        echo $"Usage: ircd.rc {start|stop}"
        exit 1
esac