Update: The author of uchroot has contacted me to let me know that a non-fixable local root exploit has been discovered in it. I have updated the text below to reflect a replacement method.
I wanted to set up an ircd for my friends and I to use, but since I try to be sufficiently paranoid I wanted to do this in a chroot jail. I chose Hybrid Ircd as it is very popular and well tested, but was surprised to find no documentation online explaining how best to implement it in a chroot environment. Maybe my google-fu was off, but I figured I'd document it here for others to find. I'm sure I didn't do it the best way, please feel free to leave improved instructions in the comments.
- Configure Hybrid Ircd. I used this configure call ./configure --prefix=/usr/local/hybrid-ircd --enable-rtsigio
- Edit include/config.h and add this line above the other dir definitions: #define IRCD_PREFIX "/"
- make && make install
- cp /etc/services, /etc/protocols, and /etc/resolv.conf to /usr/local/hybrid-ircd/etc
- cp src/ircd-hybrid-7.0.3/doc/simple.conf /usr/local/hybrid-ircd/etc/ircd.conf then edit it to your liking
- create a /usr/local/hybrid-ircd/lib directory
- run ldd ircd and copy all needed libs to the new lib dir
- At this point I tried running /usr/sbin/chroot but ran into a nice catch-22: in order to run chroot you need to be root, but hybrid ircd refuses to run as root!
Got around this by downloading, inspecting the source and compiling uchroot whichs runs setuid as root then drops privs.To get around this problem you need to copy /bin/su into the chroot jail and set up a mock user system there. I used the instructions found here. Since I was on a Redhat 7.x system I had to do the extra step listed there also. - I created a script in /usr/local/hybrid-ircd/start-ircd.bash with this line in it: su -c "/bin/ircd -foreground -dlinefile /etc/dline.conf -configfile /etc/ircd.conf -klinefile /etc/kline.conf -logfile /logs/ircd.log -pidfile ircd.pid" peon
- finally I was able to start ircd in a chroot jail like this: /usr/sbin/chroot /usr/local/hybrid-ircd /bin/bash /start-ircd.bash (run as root)
Comments