From 01440bc95a204321f9a0878945efa1d35f41b266 Mon Sep 17 00:00:00 2001 From: Rezrov Frotz Date: Wed, 18 Jun 2014 14:01:35 -0400 Subject: Added warning if running as root, added make jail, updated README. --- Makefile | 10 ++++++++++ README.md | 36 ++++++++++++------------------------ miniircd | 3 +++ 3 files changed, 25 insertions(+), 24 deletions(-) diff --git a/Makefile b/Makefile index a8b923b..41a5590 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,8 @@ VERSION := $(shell sed -ne 's/^VERSION = "\(.*\)"/\1/p' miniircd) DISTFILES = miniircd COPYING README.md +JAILDIR = /var/jail/miniircd +JAILUSER = nobody all: echo "Nothing to do." @@ -13,3 +15,11 @@ dist: clean: rm -rf miniircd-$(VERSION) *~ + +jail: + mkdir -p $(JAILDIR)/dev + chmod 755 $(JAILDIR) + mknod $(JAILDIR)/dev/null c 1 3 + mknod $(JAILDIR)/dev/urandom c 1 9 + chmod 666 $(JAILDIR)/dev/* + chown $(JAILUSER) $(JAILDIR) diff --git a/README.md b/README.md index b772a49..16a72cd 100644 --- a/README.md +++ b/README.md @@ -45,30 +45,17 @@ Installation None. Just run "./miniircd --help" (or "python miniircd --help") to get some help. -Some Notes on --chroot and --setuid ------------------------------------ +Using --chroot and --setuid +--------------------------- In order to use the --chroot or --setuid options, you must be using an OS that supports these functions (most \*nixes), and you must start the server -as root. Generally, you would not want to run just any random thing you've -grabbed from github and run it as root! Fortunately this script is short enough that the -average programmer can puruse it in a few minutes and determine whether or -not it is overtly malicious. +as root. These options limit the daemon process to a small +subset of the filesystem, running with the privileges of the specified +user (ideally unprivileged) instead of the user who launched miniircd. -Creating a Jail for --chroot ----------------------------- - -If you want to run miniircd in a chroot jail, do something like the -following as root (only tested on Linux). Assuming your chroot jail is -going to be /var/jail/miniircd, first create some required device nodes: - -``` -# mkdir -p /var/jail/miniircd/dev -# mknod /var/jail/miniircd/dev/null c 1 3 -# mknod /var/jail/miniircd/dev/random c 1 8 -# mknod /var/jail/miniircd/dev/urandom c 1 9 -# chmod 666 /var/jail/miniircd/dev/* -``` +To create a new chroot jail for miniircd, edit the Makefile and change +JAILDIR and JAILUSER to suit your needs, then run ``make jail`` as root. If you have a motd file or an SSL pem file, you'll need to put them in the jail as well: @@ -80,19 +67,21 @@ Remember to specify the paths for --statedir, --logdir, --motd, and --ssl-pem-file from within the jail, e.g.: ``` -# ./miniircd --statedir=/ --logdir=/ --motd=/motd.txt \ +# sudo miniircd --statedir=/ --logdir=/ --motd=/motd.txt --setuid=nobody \ --ssl-pem-file=/miniircd.pem --chroot=/var/jail/miniircd ``` + Make sure your jail is writable by whatever user/group you are running the server as. Also, keep your jail clean. Ideally it should only contain the files mentioned above and the state/log files from miniircd. You should **not** place the miniircd script itself, or any executables, in the jail. +In the end it should look something like this: ``` # ls -alR /var/jail/miniircd .: total 36 -drwxrwxr-x 3 nobody rezrov 4096 Jun 10 16:20 . +drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 . drwxr-xr-x 4 root root 4096 Jun 10 18:40 .. -rw------- 1 nobody nobody 26 Jun 10 16:20 #channel -rw-r--r-- 1 nobody nobody 1414 Jun 10 16:51 #channel.log @@ -103,9 +92,8 @@ drwxr-xr-x 2 root root 4096 Jun 10 16:19 dev ./dev: total 8 drwxr-xr-x 2 root root 4096 Jun 10 16:19 . -drwxrwxr-x 3 nobody rezrov 4096 Jun 10 16:20 .. +drwxr-xr-x 3 nobody root 4096 Jun 10 16:20 .. crw-rw-rw- 1 root root 1, 3 Jun 10 16:16 null -crw-rw-rw- 1 root root 1, 8 Jun 10 16:16 random crw-rw-rw- 1 root root 1, 9 Jun 10 16:19 urandom ``` diff --git a/miniircd b/miniircd index fd793ee..45e669c 100755 --- a/miniircd +++ b/miniircd @@ -880,6 +880,9 @@ def main(argv): options.setuid = (int(getpwnam(match[0]).pw_uid),int(getpwnam(match[0]).pw_gid)) else: op.error("Specify a user, or user and group separated by a semicolon, e.g. --setuid daemon, --setuid nobody:nobody") + if (os.getuid() == 0 or os.getgid() == 0) and not options.setuid: + op.error("Running this service as root is not recommended. Use the --setuid option to switch to an unprivileged account after startup. If you really intend to run as root, use '--setuid root'.") + ports = [] for port in re.split(r"[,\s]+", options.ports): try: -- cgit v1.2.3