diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 69 |
1 files changed, 69 insertions, 0 deletions
@@ -8,6 +8,9 @@ miniircd is a small and limited IRC server written in Python. Despite its size, it is a functional alternative to a full-blown ircd for private or internal use. Installation is simple; no configuration is required. +This fork adds the ability to specify a chroot jail for the server process, +as well as the ability to set the user/group of the process. (*nix OSes only) + Features -------- @@ -17,6 +20,7 @@ Features * No configuration. * No ident lookup (so that people behind firewalls that filter the ident port without sending NACK can connect without long timeouts). +* Reasonably secure when used with --chroot and --setuid Limitations ----------- @@ -41,6 +45,70 @@ Installation None. Just run "./miniircd --help" (or "python miniircd --help") to get some help. +Some Notes on --chroot and --setuid +----------------------------------- + +In order to use the --chroot or --setuid options, you must be using an OS +that supports these functions (most \*nixes), and you must start the server +as root. Generally, you would not want to run just any random thing you've +grabbed from github and run it as root! Fortunately this script is short enough that the +average programmer can puruse it in a few minutes and determine whether or +not it is overtly malicious. + +Creating a Jail for --chroot +---------------------------- + +If you want to run miniircd in a chroot jail, do something like the +following as root (only tested on Linux). Assuming your chroot jail is +going to be /var/jail/miniircd, first create some required device nodes: + +``` +# mkdir -p /var/jail/miniircd/dev +# mknod /var/jail/miniircd/dev/null c 1 3 +# mknod /var/jail/miniircd/dev/random c 1 8 +# mknod /var/jail/miniircd/dev/urandom c 1 9 +# chmod 666 /var/jail/miniircd/dev/* +``` +If you have a motd file or an SSL pem file, you'll need to put them in the +jail as well: + +``` +# cp miniircd.pem motd.txt /var/jail/miniircd +``` + +Remember to specify the paths for --statedir, --logdir, --motd, and +--ssl-pem-file from within the jail, e.g.: + +``` +# ./miniircd --statedir=/ --logdir=/ --motd=/motd.txt \ + --ssl-pem-file=/miniircd.pem --chroot=/var/jail/miniircd +``` +Make sure your jail is writable by whatever user/group you are running +the server as. Also, keep your jail clean. Ideally it should only contain +the files mentioned above and the state/log files from miniircd. You should +**not** place the miniircd script itself, or any executables, in the jail. + +``` +# ls -alR /var/jail/miniircd +.: +total 36 +drwxrwxr-x 3 nobody rezrov 4096 Jun 10 16:20 . +drwxr-xr-x 4 root root 4096 Jun 10 18:40 .. +-rw------- 1 nobody nobody 26 Jun 10 16:20 #channel +-rw-r--r-- 1 nobody nobody 1414 Jun 10 16:51 #channel.log +drwxr-xr-x 2 root root 4096 Jun 10 16:19 dev +-rw-r----- 1 rezrov nobody 5187 Jun 9 22:25 ircd.pem +-rw-r--r-- 1 rezrov nobody 17 Jun 9 22:26 motd.txt + +./dev: +total 8 +drwxr-xr-x 2 root root 4096 Jun 10 16:19 . +drwxrwxr-x 3 nobody rezrov 4096 Jun 10 16:20 .. +crw-rw-rw- 1 root root 1, 3 Jun 10 16:16 null +crw-rw-rw- 1 root root 1, 8 Jun 10 16:16 random +crw-rw-rw- 1 root root 1, 9 Jun 10 16:19 urandom +``` + License ------- @@ -57,3 +125,4 @@ Contributors Alex Wright Leandro Lucarella Matt Behrens +Ron Fritz |