diff options
| author | Joel Rosdahl <joel@rosdahl.net> | 2014-06-23 22:13:32 +0200 |
|---|---|---|
| committer | Joel Rosdahl <joel@rosdahl.net> | 2014-06-23 22:13:32 +0200 |
| commit | bc02cbd8939093189712a97ae4df2babeb8d14ce (patch) | |
| tree | 9751557258f5686d6d166e3dc33caa8aa46310cb | |
| parent | 164834727d68f1abb89479f5500b1d3fa0508670 (diff) | |
| download | miniircd-bc02cbd8939093189712a97ae4df2babeb8d14ce.tar.gz miniircd-bc02cbd8939093189712a97ae4df2babeb8d14ce.zip | |
Minor cleanups
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | README.md | 80 | ||||
| -rwxr-xr-x | miniircd | 34 |
3 files changed, 59 insertions, 58 deletions
@@ -1,7 +1,8 @@ +Unreleased - * Added support for --chroot and -setuid (fork by rezrov) * Added support for the LUSERS command (from Alex Wright). * Added basic SSL support (from Leandro Lucarella). + * Added support for --chroot and -setuid (from Ron Fritz). 0.4 2012-07-01 @@ -17,7 +17,7 @@ Features * No configuration. * No ident lookup (so that people behind firewalls that filter the ident port without sending NACK can connect without long timeouts). -* Reasonably secure when used with --chroot and --setuid +* Reasonably secure when used with --chroot and --setuid. Limitations ----------- @@ -45,54 +45,48 @@ help. Using --chroot and --setuid --------------------------- -In order to use the --chroot or --setuid options, you must be using an OS -that supports these functions (most \*nixes), and you must start the server -as root. These options limit the daemon process to a small -subset of the filesystem, running with the privileges of the specified -user (ideally unprivileged) instead of the user who launched miniircd. +In order to use the --chroot or --setuid options, you must be using an OS that +supports these functions (most \*nixes), and you must start the server as root. +These options limit the daemon process to a small subset of the filesystem, +running with the privileges of the specified user (ideally unprivileged) +instead of the user who launched miniircd. -To create a new chroot jail for miniircd, edit the Makefile and change -JAILDIR and JAILUSER to suit your needs, then run ``make jail`` as root. -If you have a motd file or an SSL pem file, you'll need to put them in the -jail as well: +To create a new chroot jail for miniircd, edit the Makefile and change JAILDIR +and JAILUSER to suit your needs, then run ``make jail`` as root. If you have a +motd file or an SSL pem file, you'll need to put them in the jail as well: -``` -# cp miniircd.pem motd.txt /var/jail/miniircd -``` + + # cp miniircd.pem motd.txt /var/jail/miniircd Remember to specify the paths for --statedir, --logdir, --motd, and --ssl-pem-file from within the jail, e.g.: -``` -# sudo miniircd --statedir=/ --logdir=/ --motd=/motd.txt --setuid=nobody \ - --ssl-pem-file=/miniircd.pem --chroot=/var/jail/miniircd -``` - -Make sure your jail is writable by whatever user/group you are running -the server as. Also, keep your jail clean. Ideally it should only contain -the files mentioned above and the state/log files from miniircd. You should -**not** place the miniircd script itself, or any executables, in the jail. -In the end it should look something like this: - -``` -# ls -alR /var/jail/miniircd -.: -total 36 -drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 . -drwxr-xr-x 4 root root 4096 Jun 10 18:40 .. --rw------- 1 nobody nobody 26 Jun 10 16:20 #channel --rw-r--r-- 1 nobody nobody 1414 Jun 10 16:51 #channel.log -drwxr-xr-x 2 root root 4096 Jun 10 16:19 dev --rw-r----- 1 rezrov nobody 5187 Jun 9 22:25 ircd.pem --rw-r--r-- 1 rezrov nobody 17 Jun 9 22:26 motd.txt - -./dev: -total 8 -drwxr-xr-x 2 root root 4096 Jun 10 16:19 . -drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 .. -crw-rw-rw- 1 root root 1, 3 Jun 10 16:16 null -crw-rw-rw- 1 root root 1, 9 Jun 10 16:19 urandom -``` + # sudo miniircd --statedir=/ --logdir=/ --motd=/motd.txt --setuid=nobody \ + --ssl-pem-file=/miniircd.pem --chroot=/var/jail/miniircd + +Make sure your jail is writable by whatever user/group you are running the +server as. Also, keep your jail clean. Ideally it should only contain the files +mentioned above and the state/log files from miniircd. You should **not** place +the miniircd script itself, or any executables, in the jail. In the end it +should look something like this: + + # ls -alR /var/jail/miniircd + .: + total 36 + drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 . + drwxr-xr-x 4 root root 4096 Jun 10 18:40 .. + -rw------- 1 nobody nobody 26 Jun 10 16:20 #channel + -rw-r--r-- 1 nobody nobody 1414 Jun 10 16:51 #channel.log + drwxr-xr-x 2 root root 4096 Jun 10 16:19 dev + -rw-r----- 1 rezrov nobody 5187 Jun 9 22:25 ircd.pem + -rw-r--r-- 1 rezrov nobody 17 Jun 9 22:26 motd.txt + + ./dev: + total 8 + drwxr-xr-x 2 root root 4096 Jun 10 16:19 . + drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 .. + crw-rw-rw- 1 root root 1, 3 Jun 10 16:16 null + crw-rw-rw- 1 root root 1, 9 Jun 10 16:19 urandom License ------- @@ -1,7 +1,7 @@ #! /usr/bin/env python # Hey, Emacs! This is -*-python-*-. # -# Copyright (C) 2003, 2011-2013 Joel Rosdahl +# Copyright (C) 2003-2014 Joel Rosdahl # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -752,9 +752,10 @@ class Server(object): os.chroot(self.chroot) self.print_info("Changed root directory to %s" % self.chroot) if self.setuid: - os.setresgid(self.setuid[1],self.setuid[1],self.setuid[1]) - os.setresuid(self.setuid[0],self.setuid[0],self.setuid[0]) - self.print_info("Setting uid:gid to %s:%s" % (self.setuid[0], self.setuid[1])) + os.setresgid(self.setuid[1], self.setuid[1], self.setuid[1]) + os.setresuid(self.setuid[0], self.setuid[0], self.setuid[0]) + self.print_info("Setting uid:gid to %s:%s" + % (self.setuid[0], self.setuid[1])) last_aliveness_check = time.time() while True: (iwtd, owtd, ewtd) = select.select( @@ -848,11 +849,13 @@ def main(argv): op.add_option( "--chroot", metavar="X", - help="Change filesystem root to directory X after startup (requires root)") + help="change filesystem root to directory X after startup" + " (requires root)") op.add_option( "--setuid", metavar="U[:G]", - help="Change process user (and optionally group) after startup (requires root)") + help="change process user (and optionally group) after startup" + " (requires root)") (options, args) = op.parse_args(argv[1:]) if options.debug: @@ -872,16 +875,21 @@ def main(argv): if options.setuid: if os.getuid() != 0: op.error("Must be root to use --setuid") - match = re.findall(r"([a-z_][a-z0-9_-]*[\$]?)", options.setuid) - + match = re.findall(r"([a-z_][a-z0-9_-]*\$?)", options.setuid) if len(match) > 1: - options.setuid = (int(getpwnam(match[0]).pw_uid),int(getgrnam(match[1]).gr_gid)) + options.setuid = (int(getpwnam(match[0]).pw_uid), + int(getgrnam(match[1]).gr_gid)) elif len(match) == 1: - options.setuid = (int(getpwnam(match[0]).pw_uid),int(getpwnam(match[0]).pw_gid)) + options.setuid = (int(getpwnam(match[0]).pw_uid), + int(getpwnam(match[0]).pw_gid)) else: - op.error("Specify a user, or user and group separated by a semicolon, e.g. --setuid daemon, --setuid nobody:nobody") + op.error("Specify a user, or user and group separated by a colon," + " e.g. --setuid daemon, --setuid nobody:nobody") if (os.getuid() == 0 or os.getgid() == 0) and not options.setuid: - op.error("Running this service as root is not recommended. Use the --setuid option to switch to an unprivileged account after startup. If you really intend to run as root, use '--setuid root'.") + op.error("Running this service as root is not recommended. Use the" + " --setuid option to switch to an unprivileged account after" + " startup. If you really intend to run as root, use \"--setuid" + " root\".") ports = [] for port in re.split(r"[,\s]+", options.ports): @@ -900,5 +908,3 @@ def main(argv): main(sys.argv) - -# ex:et:sw=4:ts=4 |