summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Rosdahl <joel@rosdahl.net>2014-06-23 22:13:32 +0200
committerJoel Rosdahl <joel@rosdahl.net>2014-06-23 22:13:32 +0200
commitbc02cbd8939093189712a97ae4df2babeb8d14ce (patch)
tree9751557258f5686d6d166e3dc33caa8aa46310cb
parent164834727d68f1abb89479f5500b1d3fa0508670 (diff)
downloadminiircd-bc02cbd8939093189712a97ae4df2babeb8d14ce.tar.gz
miniircd-bc02cbd8939093189712a97ae4df2babeb8d14ce.zip
Minor cleanups
-rw-r--r--CHANGES3
-rw-r--r--README.md80
-rwxr-xr-xminiircd34
3 files changed, 59 insertions, 58 deletions
diff --git a/CHANGES b/CHANGES
index b57af64..dde458f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,8 @@
+Unreleased
- * Added support for --chroot and -setuid (fork by rezrov)
* Added support for the LUSERS command (from Alex Wright).
* Added basic SSL support (from Leandro Lucarella).
+ * Added support for --chroot and -setuid (from Ron Fritz).
0.4 2012-07-01
diff --git a/README.md b/README.md
index d40837a..8a9ea19 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ Features
* No configuration.
* No ident lookup (so that people behind firewalls that filter the ident port
without sending NACK can connect without long timeouts).
-* Reasonably secure when used with --chroot and --setuid
+* Reasonably secure when used with --chroot and --setuid.
Limitations
-----------
@@ -45,54 +45,48 @@ help.
Using --chroot and --setuid
---------------------------
-In order to use the --chroot or --setuid options, you must be using an OS
-that supports these functions (most \*nixes), and you must start the server
-as root. These options limit the daemon process to a small
-subset of the filesystem, running with the privileges of the specified
-user (ideally unprivileged) instead of the user who launched miniircd.
+In order to use the --chroot or --setuid options, you must be using an OS that
+supports these functions (most \*nixes), and you must start the server as root.
+These options limit the daemon process to a small subset of the filesystem,
+running with the privileges of the specified user (ideally unprivileged)
+instead of the user who launched miniircd.
-To create a new chroot jail for miniircd, edit the Makefile and change
-JAILDIR and JAILUSER to suit your needs, then run ``make jail`` as root.
-If you have a motd file or an SSL pem file, you'll need to put them in the
-jail as well:
+To create a new chroot jail for miniircd, edit the Makefile and change JAILDIR
+and JAILUSER to suit your needs, then run ``make jail`` as root. If you have a
+motd file or an SSL pem file, you'll need to put them in the jail as well:
-```
-# cp miniircd.pem motd.txt /var/jail/miniircd
-```
+
+ # cp miniircd.pem motd.txt /var/jail/miniircd
Remember to specify the paths for --statedir, --logdir, --motd, and
--ssl-pem-file from within the jail, e.g.:
-```
-# sudo miniircd --statedir=/ --logdir=/ --motd=/motd.txt --setuid=nobody \
- --ssl-pem-file=/miniircd.pem --chroot=/var/jail/miniircd
-```
-
-Make sure your jail is writable by whatever user/group you are running
-the server as. Also, keep your jail clean. Ideally it should only contain
-the files mentioned above and the state/log files from miniircd. You should
-**not** place the miniircd script itself, or any executables, in the jail.
-In the end it should look something like this:
-
-```
-# ls -alR /var/jail/miniircd
-.:
-total 36
-drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 .
-drwxr-xr-x 4 root root 4096 Jun 10 18:40 ..
--rw------- 1 nobody nobody 26 Jun 10 16:20 #channel
--rw-r--r-- 1 nobody nobody 1414 Jun 10 16:51 #channel.log
-drwxr-xr-x 2 root root 4096 Jun 10 16:19 dev
--rw-r----- 1 rezrov nobody 5187 Jun 9 22:25 ircd.pem
--rw-r--r-- 1 rezrov nobody 17 Jun 9 22:26 motd.txt
-
-./dev:
-total 8
-drwxr-xr-x 2 root root 4096 Jun 10 16:19 .
-drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 ..
-crw-rw-rw- 1 root root 1, 3 Jun 10 16:16 null
-crw-rw-rw- 1 root root 1, 9 Jun 10 16:19 urandom
-```
+ # sudo miniircd --statedir=/ --logdir=/ --motd=/motd.txt --setuid=nobody \
+ --ssl-pem-file=/miniircd.pem --chroot=/var/jail/miniircd
+
+Make sure your jail is writable by whatever user/group you are running the
+server as. Also, keep your jail clean. Ideally it should only contain the files
+mentioned above and the state/log files from miniircd. You should **not** place
+the miniircd script itself, or any executables, in the jail. In the end it
+should look something like this:
+
+ # ls -alR /var/jail/miniircd
+ .:
+ total 36
+ drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 .
+ drwxr-xr-x 4 root root 4096 Jun 10 18:40 ..
+ -rw------- 1 nobody nobody 26 Jun 10 16:20 #channel
+ -rw-r--r-- 1 nobody nobody 1414 Jun 10 16:51 #channel.log
+ drwxr-xr-x 2 root root 4096 Jun 10 16:19 dev
+ -rw-r----- 1 rezrov nobody 5187 Jun 9 22:25 ircd.pem
+ -rw-r--r-- 1 rezrov nobody 17 Jun 9 22:26 motd.txt
+
+ ./dev:
+ total 8
+ drwxr-xr-x 2 root root 4096 Jun 10 16:19 .
+ drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 ..
+ crw-rw-rw- 1 root root 1, 3 Jun 10 16:16 null
+ crw-rw-rw- 1 root root 1, 9 Jun 10 16:19 urandom
License
-------
diff --git a/miniircd b/miniircd
index 45e669c..580574e 100755
--- a/miniircd
+++ b/miniircd
@@ -1,7 +1,7 @@
#! /usr/bin/env python
# Hey, Emacs! This is -*-python-*-.
#
-# Copyright (C) 2003, 2011-2013 Joel Rosdahl
+# Copyright (C) 2003-2014 Joel Rosdahl
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -752,9 +752,10 @@ class Server(object):
os.chroot(self.chroot)
self.print_info("Changed root directory to %s" % self.chroot)
if self.setuid:
- os.setresgid(self.setuid[1],self.setuid[1],self.setuid[1])
- os.setresuid(self.setuid[0],self.setuid[0],self.setuid[0])
- self.print_info("Setting uid:gid to %s:%s" % (self.setuid[0], self.setuid[1]))
+ os.setresgid(self.setuid[1], self.setuid[1], self.setuid[1])
+ os.setresuid(self.setuid[0], self.setuid[0], self.setuid[0])
+ self.print_info("Setting uid:gid to %s:%s"
+ % (self.setuid[0], self.setuid[1]))
last_aliveness_check = time.time()
while True:
(iwtd, owtd, ewtd) = select.select(
@@ -848,11 +849,13 @@ def main(argv):
op.add_option(
"--chroot",
metavar="X",
- help="Change filesystem root to directory X after startup (requires root)")
+ help="change filesystem root to directory X after startup"
+ " (requires root)")
op.add_option(
"--setuid",
metavar="U[:G]",
- help="Change process user (and optionally group) after startup (requires root)")
+ help="change process user (and optionally group) after startup"
+ " (requires root)")
(options, args) = op.parse_args(argv[1:])
if options.debug:
@@ -872,16 +875,21 @@ def main(argv):
if options.setuid:
if os.getuid() != 0:
op.error("Must be root to use --setuid")
- match = re.findall(r"([a-z_][a-z0-9_-]*[\$]?)", options.setuid)
-
+ match = re.findall(r"([a-z_][a-z0-9_-]*\$?)", options.setuid)
if len(match) > 1:
- options.setuid = (int(getpwnam(match[0]).pw_uid),int(getgrnam(match[1]).gr_gid))
+ options.setuid = (int(getpwnam(match[0]).pw_uid),
+ int(getgrnam(match[1]).gr_gid))
elif len(match) == 1:
- options.setuid = (int(getpwnam(match[0]).pw_uid),int(getpwnam(match[0]).pw_gid))
+ options.setuid = (int(getpwnam(match[0]).pw_uid),
+ int(getpwnam(match[0]).pw_gid))
else:
- op.error("Specify a user, or user and group separated by a semicolon, e.g. --setuid daemon, --setuid nobody:nobody")
+ op.error("Specify a user, or user and group separated by a colon,"
+ " e.g. --setuid daemon, --setuid nobody:nobody")
if (os.getuid() == 0 or os.getgid() == 0) and not options.setuid:
- op.error("Running this service as root is not recommended. Use the --setuid option to switch to an unprivileged account after startup. If you really intend to run as root, use '--setuid root'.")
+ op.error("Running this service as root is not recommended. Use the"
+ " --setuid option to switch to an unprivileged account after"
+ " startup. If you really intend to run as root, use \"--setuid"
+ " root\".")
ports = []
for port in re.split(r"[,\s]+", options.ports):
@@ -900,5 +908,3 @@ def main(argv):
main(sys.argv)
-
-# ex:et:sw=4:ts=4