summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile10
-rw-r--r--README.md36
-rwxr-xr-xminiircd3
3 files changed, 25 insertions, 24 deletions
diff --git a/Makefile b/Makefile
index a8b923b..41a5590 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,8 @@
VERSION := $(shell sed -ne 's/^VERSION = "\(.*\)"/\1/p' miniircd)
DISTFILES = miniircd COPYING README.md
+JAILDIR = /var/jail/miniircd
+JAILUSER = nobody
all:
echo "Nothing to do."
@@ -13,3 +15,11 @@ dist:
clean:
rm -rf miniircd-$(VERSION) *~
+
+jail:
+ mkdir -p $(JAILDIR)/dev
+ chmod 755 $(JAILDIR)
+ mknod $(JAILDIR)/dev/null c 1 3
+ mknod $(JAILDIR)/dev/urandom c 1 9
+ chmod 666 $(JAILDIR)/dev/*
+ chown $(JAILUSER) $(JAILDIR)
diff --git a/README.md b/README.md
index b772a49..16a72cd 100644
--- a/README.md
+++ b/README.md
@@ -45,30 +45,17 @@ Installation
None. Just run "./miniircd --help" (or "python miniircd --help") to get some
help.
-Some Notes on --chroot and --setuid
------------------------------------
+Using --chroot and --setuid
+---------------------------
In order to use the --chroot or --setuid options, you must be using an OS
that supports these functions (most \*nixes), and you must start the server
-as root. Generally, you would not want to run just any random thing you've
-grabbed from github and run it as root! Fortunately this script is short enough that the
-average programmer can puruse it in a few minutes and determine whether or
-not it is overtly malicious.
+as root. These options limit the daemon process to a small
+subset of the filesystem, running with the privileges of the specified
+user (ideally unprivileged) instead of the user who launched miniircd.
-Creating a Jail for --chroot
-----------------------------
-
-If you want to run miniircd in a chroot jail, do something like the
-following as root (only tested on Linux). Assuming your chroot jail is
-going to be /var/jail/miniircd, first create some required device nodes:
-
-```
-# mkdir -p /var/jail/miniircd/dev
-# mknod /var/jail/miniircd/dev/null c 1 3
-# mknod /var/jail/miniircd/dev/random c 1 8
-# mknod /var/jail/miniircd/dev/urandom c 1 9
-# chmod 666 /var/jail/miniircd/dev/*
-```
+To create a new chroot jail for miniircd, edit the Makefile and change
+JAILDIR and JAILUSER to suit your needs, then run ``make jail`` as root.
If you have a motd file or an SSL pem file, you'll need to put them in the
jail as well:
@@ -80,19 +67,21 @@ Remember to specify the paths for --statedir, --logdir, --motd, and
--ssl-pem-file from within the jail, e.g.:
```
-# ./miniircd --statedir=/ --logdir=/ --motd=/motd.txt \
+# sudo miniircd --statedir=/ --logdir=/ --motd=/motd.txt --setuid=nobody \
--ssl-pem-file=/miniircd.pem --chroot=/var/jail/miniircd
```
+
Make sure your jail is writable by whatever user/group you are running
the server as. Also, keep your jail clean. Ideally it should only contain
the files mentioned above and the state/log files from miniircd. You should
**not** place the miniircd script itself, or any executables, in the jail.
+In the end it should look something like this:
```
# ls -alR /var/jail/miniircd
.:
total 36
-drwxrwxr-x 3 nobody rezrov 4096 Jun 10 16:20 .
+drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 .
drwxr-xr-x 4 root root 4096 Jun 10 18:40 ..
-rw------- 1 nobody nobody 26 Jun 10 16:20 #channel
-rw-r--r-- 1 nobody nobody 1414 Jun 10 16:51 #channel.log
@@ -103,9 +92,8 @@ drwxr-xr-x 2 root root 4096 Jun 10 16:19 dev
./dev:
total 8
drwxr-xr-x 2 root root 4096 Jun 10 16:19 .
-drwxrwxr-x 3 nobody rezrov 4096 Jun 10 16:20 ..
+drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 ..
crw-rw-rw- 1 root root 1, 3 Jun 10 16:16 null
-crw-rw-rw- 1 root root 1, 8 Jun 10 16:16 random
crw-rw-rw- 1 root root 1, 9 Jun 10 16:19 urandom
```
diff --git a/miniircd b/miniircd
index fd793ee..45e669c 100755
--- a/miniircd
+++ b/miniircd
@@ -880,6 +880,9 @@ def main(argv):
options.setuid = (int(getpwnam(match[0]).pw_uid),int(getpwnam(match[0]).pw_gid))
else:
op.error("Specify a user, or user and group separated by a semicolon, e.g. --setuid daemon, --setuid nobody:nobody")
+ if (os.getuid() == 0 or os.getgid() == 0) and not options.setuid:
+ op.error("Running this service as root is not recommended. Use the --setuid option to switch to an unprivileged account after startup. If you really intend to run as root, use '--setuid root'.")
+
ports = []
for port in re.split(r"[,\s]+", options.ports):
try: