1Using Chroot With IRCD
2
3Introduction
4
5Many system administrators like to run certain daemons within a
6"jail," a secure area of the file system that the daemon supposedly
7cannot break out of.  That way, if the daemon is compromised somehow,
8the attacker cannot get out and affect the rest of the system in any
9way.  There are problems with this--the standard UNIX way of doing
10this is with the chroot() call, which has been deprecated by the
11UNIX98 standard.  Moreover, if an attacker has root within the jail,
12it is trivial to get *out* of the jail in most circumstances.
13Nevertheless, it is still often a good idea, and some systems can use
14more secure jails than other systems.
15
16Older versions of ircd supported chroot() operation within the server
17itself, but these were fraught with problems--chroot() can only be
18called by a process running as root, so ircd had to be started as
19root, typically by making it setuid, and would then have to drop those
20privileges after calling chroot().  Moreover, the design of the server
21would require that the server binary be in DPATH, or the /RESTART
22command would not work.  In fact, /RESTART still wouldn't work,
23because the server would then attempt to change directories to a DPATH
24relative to the current root directory--and of course, the root
25directory often would not contain the shared libraries necessary for
26the ircd to even start.
27
28Configuring the Server For Use With Chroot
29
30In the versions of ircd starting with u2.10.11, all the setuid and
31chroot() code has been removed from the server.  It is still possible
32to cause the daemon to run in a chroot() jail, however, through the
33use of a wrapper script.  This requires making all paths compiled in
34to the server be relative to the new root directory; fortunately, this
35can be done by giving the configure script the --with-chroot=<dir>
36option.  The <dir> argument specifies to configure where the root
37directory will be, and the server restart path, data path,
38configuration file, and debug log files will all be modified to be
39relative to this root directory.  If the data path or configuration
40files cannot be made relative to the specified root directory,
41configure will issue an error message and exit; if the server restart
42path is not relative to the specified root directory, configure will
43issue a warning.
44
45The various paths are made relative to the root directory through the
46use of simple edits to their string representation.  As an example,
47assume that we will be using the root directory "/home/ircd"; if the
48data path is "/home/ircd/lib," the data path that will be compiled
49into the server will be simply "/lib"; if, on the other hand, the
50specified data path were "/usr/local/lib/ircd," configure would issue
51an error, since there is no way to make the data path relative to the
52specified root directory.
53
54Preparing the Root Directory
55
56Most modern operating systems use shared libraries.  When using
57chroot(), these libraries are searched for relative to the new root
58directory, and they must be present in order for a program to
59execute.  The root directory must be prepared, therefore, by coping
60these libraries into the correct place.  A script for this purpose has
61been provided in tools/mkchroot.  This script relies on the command
62"ldd," which is used to report which shared libraries are used by a
63particular program; it also relies on ldd printing out the full path
64to those libraries.  If either of these conditions is not met, it will
65be necessary to track down the libraries by hand and place them into
66the appropriate locations.  The tools/mkchroot script takes as its
67first argument the path to the directory to be prepared as a root
68directory; following this argument should be a list of programs that
69will be running with that directory as the root directory.
70
71Using the Wrapper
72
73Also provided in the tools subdirectory are the sources for a simple
74wrapper program that can be used to start ircd.  The program can be
75compiled by executing "cc -o wrapper tools/wrapper.c"; it must be run
76as root, but do not install it as root, since that would be a major
77security risk.  This tool can be used to set the hard limit on file
78descriptors, as well as a root directory, and so may be useful to the
79administrator even if chroot() operation is not desired.  A summary of
80the command line options for the wrapper tool can be obtained with the
81"-h" option.  To set the file descriptor limit, use the "-l" option
82followed by the desired number of file descriptors; to select an
83alternative root directory, use "-c" followed by the desired root
84directory.  You must use the "-u" option to specify a user name (or
85user ID) that the command should be run as; otherwise, the command
86will be run as root, which is not what you want (and why you should
87never install this program setuid root).  Follow the command line
88arguments with "--" and the full path to the command that you wish to
89run, along with arguments to that command.  The "--" tells the wrapper
90program to stop interpreting options, and is very important if you
91must give the command any options.
92