aku-aku: v.. To move a tall, flat bottomed object (such as a bookshelf) by swiveling it alternatively on its corners in a "walking" fashion. [After the book by Thor Heyerdahl theorising the statues of Easter Island were moved in this fashion.] source: LangMaker.com. Aku Aku also has another meaning to the islanders: a spiritual guide.
« colorful b&w photos | Main Page | graffiti »
chroot hybrid ircd
Posted by dav at 2005 January 31 10:34 AM
File under: Geek

Update: The author of uchroot has contacted me to let me know that a non-fixable local root exploit has been discovered in it. I have updated the text below to reflect a replacement method.

I wanted to set up an ircd for my friends and I to use, but since I try to be sufficiently paranoid I wanted to do this in a chroot jail. I chose Hybrid Ircd as it is very popular and well tested, but was surprised to find no documentation online explaining how best to implement it in a chroot environment. Maybe my google-fu was off, but I figured I'd document it here for others to find. I'm sure I didn't do it the best way, please feel free to leave improved instructions in the comments.


  1. Configure Hybrid Ircd. I used this configure call ./configure --prefix=/usr/local/hybrid-ircd --enable-rtsigio
  2. Edit include/config.h and add this line above the other dir definitions: #define IRCD_PREFIX "/"
  3. make && make install
  4. cp /etc/services, /etc/protocols, and /etc/resolv.conf to /usr/local/hybrid-ircd/etc
  5. cp src/ircd-hybrid-7.0.3/doc/simple.conf /usr/local/hybrid-ircd/etc/ircd.conf then edit it to your liking
  6. create a /usr/local/hybrid-ircd/lib directory
  7. run ldd ircd and copy all needed libs to the new lib dir
  8. At this point I tried running /usr/sbin/chroot but ran into a nice catch-22: in order to run chroot you need to be root, but hybrid ircd refuses to run as root! Got around this by downloading, inspecting the source and compiling uchroot whichs runs setuid as root then drops privs. To get around this problem you need to copy /bin/su into the chroot jail and set up a mock user system there. I used the instructions found here. Since I was on a Redhat 7.x system I had to do the extra step listed there also.
  9. I created a script in /usr/local/hybrid-ircd/start-ircd.bash with this line in it: su -c "/bin/ircd -foreground -dlinefile /etc/dline.conf -configfile /etc/ircd.conf -klinefile /etc/kline.conf -logfile /logs/ircd.log -pidfile ircd.pid" peon
  10. finally I was able to start ircd in a chroot jail like this: /usr/sbin/chroot /usr/local/hybrid-ircd /bin/bash /start-ircd.bash (run as root)

I'm not sure if I needed all those command line parameters as they should be the same as the hardcoded defaults, but I haven't tried starting it again without them yet as my friends and I already are using the server.

So there you go. Note chroot isn't perfect, but it certainly makes me feel safer.

Comments:

Post a new comment:

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?