1Using Chroot With IRCD 2 3Introduction 4 5Many system administrators like to run certain daemons within a 6"jail," a secure area of the file system that the daemon supposedly 7cannot break out of. That way, if the daemon is compromised somehow, 8the attacker cannot get out and affect the rest of the system in any 9way. There are problems with this--the standard UNIX way of doing 10this is with the chroot() call, which has been deprecated by the 11UNIX98 standard. Moreover, if an attacker has root within the jail, 12it is trivial to get *out* of the jail in most circumstances. 13Nevertheless, it is still often a good idea, and some systems can use 14more secure jails than other systems. 15 16Older versions of ircd supported chroot() operation within the server 17itself, but these were fraught with problems--chroot() can only be 18called by a process running as root, so ircd had to be started as 19root, typically by making it setuid, and would then have to drop those 20privileges after calling chroot(). Moreover, the design of the server 21would require that the server binary be in DPATH, or the /RESTART 22command would not work. In fact, /RESTART still wouldn't work, 23because the server would then attempt to change directories to a DPATH 24relative to the current root directory--and of course, the root 25directory often would not contain the shared libraries necessary for 26the ircd to even start. 27 28Configuring the Server For Use With Chroot 29 30In the versions of ircd starting with u2.10.11, all the setuid and 31chroot() code has been removed from the server. It is still possible 32to cause the daemon to run in a chroot() jail, however, through the 33use of a wrapper script. This requires making all paths compiled in 34to the server be relative to the new root directory; fortunately, this 35can be done by giving the configure script the --with-chroot=<dir> 36option. The <dir> argument specifies to configure where the root 37directory will be, and the server restart path, data path, 38configuration file, and debug log files will all be modified to be 39relative to this root directory. If the data path or configuration 40files cannot be made relative to the specified root directory, 41configure will issue an error message and exit; if the server restart 42path is not relative to the specified root directory, configure will 43issue a warning. 44 45The various paths are made relative to the root directory through the 46use of simple edits to their string representation. As an example, 47assume that we will be using the root directory "/home/ircd"; if the 48data path is "/home/ircd/lib," the data path that will be compiled 49into the server will be simply "/lib"; if, on the other hand, the 50specified data path were "/usr/local/lib/ircd," configure would issue 51an error, since there is no way to make the data path relative to the 52specified root directory. 53 54Preparing the Root Directory 55 56Most modern operating systems use shared libraries. When using 57chroot(), these libraries are searched for relative to the new root 58directory, and they must be present in order for a program to 59execute. The root directory must be prepared, therefore, by coping 60these libraries into the correct place. A script for this purpose has 61been provided in tools/mkchroot. This script relies on the command 62"ldd," which is used to report which shared libraries are used by a 63particular program; it also relies on ldd printing out the full path 64to those libraries. If either of these conditions is not met, it will 65be necessary to track down the libraries by hand and place them into 66the appropriate locations. The tools/mkchroot script takes as its 67first argument the path to the directory to be prepared as a root 68directory; following this argument should be a list of programs that 69will be running with that directory as the root directory. 70 71Using the Wrapper 72 73Also provided in the tools subdirectory are the sources for a simple 74wrapper program that can be used to start ircd. The program can be 75compiled by executing "cc -o wrapper tools/wrapper.c"; it must be run 76as root, but do not install it as root, since that would be a major 77security risk. This tool can be used to set the hard limit on file 78descriptors, as well as a root directory, and so may be useful to the 79administrator even if chroot() operation is not desired. A summary of 80the command line options for the wrapper tool can be obtained with the 81"-h" option. To set the file descriptor limit, use the "-l" option 82followed by the desired number of file descriptors; to select an 83alternative root directory, use "-c" followed by the desired root 84directory. You must use the "-u" option to specify a user name (or 85user ID) that the command should be run as; otherwise, the command 86will be run as root, which is not what you want (and why you should 87never install this program setuid root). Follow the command line 88arguments with "--" and the full path to the command that you wish to 89run, along with arguments to that command. The "--" tells the wrapper 90program to stop interpreting options, and is very important if you 91must give the command any options. 92