Update: The author of uchroot has contacted me to let me know that a non-fixable local root exploit has been discovered in it. I have updated the text below to reflect a replacement method.
I wanted to set up an ircd for my friends and I to use, but since I try to be sufficiently paranoid I wanted to do this in a chroot jail. I chose Hybrid Ircd as it is very popular and well tested, but was surprised to find no documentation online explaining how best to implement it in a chroot environment. Maybe my google-fu was off, but I figured I'd document it here for others to find. I'm sure I didn't do it the best way, please feel free to leave improved instructions in the comments.
- Configure Hybrid Ircd. I used this configure call ./configure --prefix=/usr/local/hybrid-ircd --enable-rtsigio
- Edit include/config.h and add this line above the other dir definitions: #define IRCD_PREFIX "/"
- make && make install
- cp /etc/services, /etc/protocols, and /etc/resolv.conf to /usr/local/hybrid-ircd/etc
- cp src/ircd-hybrid-7.0.3/doc/simple.conf /usr/local/hybrid-ircd/etc/ircd.conf then edit it to your liking
- create a /usr/local/hybrid-ircd/lib directory
- run ldd ircd and copy all needed libs to the new lib dir
- At this point I tried running /usr/sbin/chroot but ran into a nice catch-22: in order to run chroot you need to be root, but hybrid ircd refuses to run as root!
Got around this by downloading, inspecting the source and compiling uchroot whichs runs setuid as root then drops privs.To get around this problem you need to copy /bin/su into the chroot jail and set up a mock user system there. I used the instructions found here. Since I was on a Redhat 7.x system I had to do the extra step listed there also.
- I created a script in /usr/local/hybrid-ircd/start-ircd.bash with this line in it: su -c "/bin/ircd -foreground -dlinefile /etc/dline.conf -configfile /etc/ircd.conf -klinefile /etc/kline.conf -logfile /logs/ircd.log -pidfile ircd.pid" peon
- finally I was able to start ircd in a chroot jail like this: /usr/sbin/chroot /usr/local/hybrid-ircd /bin/bash /start-ircd.bash (run as root)
I'm not sure if I needed all those command line parameters as they should be the same as the hardcoded defaults, but I haven't tried starting it again without them yet as my friends and I already are using the server.
So there you go. Note chroot isn't perfect, but it certainly makes me feel safer.
Ezra mentioned some disturbing art on the walls at 111 Minna, so I stopped to check it out today. It was a photography exhibit, the bulk of which portrayed the colorful life of California punk rockers in classy black and white. Lots of inebriated moments involving bodily fluids, fresh stitches and nudity. Possibly the most disturbing of this genre was the man urinating in his own mouth (I decided not to take a camphone shot of that one).
It could have been my brother Marcus' photo album though, so I didn't find it all that shocking :)
I found one photo that looked like our housemate Toni:
And a couple of others I liked:
I think the one that made me flinch the most was a huge color shot of the posterior of a bloated cow in a state of rigor mortis lying on its side with an also dead calf-fetus behind it that appears to have been forcibly ejected from the womb. Whew. Just typing that made my eyes twitch. I didn't get a shot of it because I was afraid of getting busted by the gallery employees.
If you're in the mood for grim phototgraphy, hurry down to 111 Minna!
What makes a good manager?
Eric Nehrlich says it is a good information carnivore. Researchers at the University of Surrey say it is a successful psychopath.
Although I didn't really want to leave Indochina, and felt an especially strong sense of stationary inertia in the village of Pai in Thailand, it is nice to be back in the stimulating environment of San Francisco. A few days after I got back I attended another Long Now seminar, entitled "Religious War in Light of the Infinite Game" delivered by James P. Carse.
Carse is a retired NYU professor who taught history and literature of religion (is this different than 'religious literature' I wonder?). He wrote a popular book Finite and Infinite Games which describes a finite game as one where the participants' intend to win and an infinite game as one where the goal is to keep the game going.
He offers War as the ultimate example of a finite game and Religion as the ultimate example of an infinite game. It was an enjoyable lecture, despite my nigh-psychedelic state of jet lag. He told some charming anecdotes from his personal life and gave brief overviews of his ideas including relevant bits from Hegel and Nietsche.
I'm not sure I agree with his assertion that the popular religions of today are the longest running infinite games. It seems to me that life itself, in terms of biological molecular entities (complex adaptive learning machines) playing in an ecological arena, is the longest running infinite game.
Update: I weaseled out of actually typing in my notes from the lecture, but someone else wasn't as lazy so if you want to read more about Infinite Games check here.