Chrooting an Eggdrop
From Section6wiki
Contents |
Chrooting an Eggdrop
Introduction
This tutorial is a howto on chrooting an eggdrop, or just about anything for that matter. Hopefully this will show you how to chroot other daemons that could pose a security risk as well.
Most security minded people would probably never run an eggdrop on their server. IRC is a haven for script kiddies and hackers. After all, all they’d need to do is install a telnet module and you’d be owned, right? If you run a chrooted Eggdrop, you’re likely to have far fewer security concerns and can actually run an IRC bot relatively safely, notwithstanding any DOS attacks it may incur.
Getting Started
Here I’m going to assume that you’re using eggdrop from ports, and you’ve gone through the pain of configuring the eggdrop.conf, and making it work to your liking. If you don’t install from ports then you’re going to have to make some path modifications on your own, but it should still be more or less the same.
For this example, you’ll want to make a separate user and group for your eggdrop if you haven’t already. In fact, using an existing user with login rights is just a bad idea. For the purposes of this example I’m going to use just eggdrop. Obviously you can use any you wish. You can add them using the adduser command, afterwards you’ll want to make sure the shell is set to nologin. You can do this with chsh, or vipw. The passwd entry should look something like this.
eggdrop:*:1002:1002::0:0:Scrambled:/home/eggdrop:/sbin/nologin
Figuring out what eggdrop needs
You’ll need to make a miniature ”world” where the eggdrop is going to be running. For this you’ll have to give it all the libraries and files inside it’s ”world” or jail that you’ll be confining it to.
I’ll supply a script at the bottom which basically takes care of all of this. However, explaining how I made it helps if you’re chrooting something other than eggdrop.
Using ldd
First there’s ldd which you can use to figure out what libraries that it’ll need:
# ldd /usr/local/bin/eggdrop
/usr/local/bin/eggdrop:
libtcl84.so.1 => /usr/local/lib/libtcl84.so.1 (0x280c1000)
libm.so.2 => /lib/libm.so.2 (0x2816b000)
libc.so.5 => /lib/libc.so.5 (0x28184000)
Thusly, in eggdrop’s home (which I’ll presume from now on is /home/eggdrop) you’ll need to do the following:
mkdir -p /home/eggdrop/lib /home/eggdrop/usr/local/lib/ cp -p /usr/local/lib/libtcl84.so.1 /home/eggdrop/usr/local/lib/libtcl84.so.1 cp -p /lib/libm.so.2 /home/eggdrop/lib/libm.so.2 cp -p /lib/libc.so.5 /home/eggdrop/lib/libc.so.5
This is by no means a complete list of requirements as you’ll find out with truss and lsof. For some simpler daemons this may be sufficient.
Using lsof
If you have an already running eggdrop, you can see what files and devices it’s using by using lsof. It doesn’t come with FreeBSD, you’ll have to install it from ports in /usr/ports/sysutils/lsof. Otherwise, running lsof you’ll see a lot of other requirements eggdrop may have. Below is an exerpt from running lsof|grep eggdrop.
eggdrop 27742 eggdrop txt VREG 4,16 155043 5416987 /usr/home/eggdrop/lib/libmysqlclient.so.12 eggdrop 27742 eggdrop txt VREG 4,16 32740 5417370 /usr/home/eggdrop/lib/libcrypt.so.2 eggdrop 27742 eggdrop 0r VCHR 2,2 0t0 5417369 /usr/home/eggdrop/dev/null (like character special /dev/null)
Here we can find a few more requirements, my eggdrop happens to need libmysql so it’s listed, along with libcrypt and the /dev/null device.
Using truss
To you truss you’ll either need options PROCFS in your kernel, or you’ll have to kldload procfs. In either case you’ll have to mount /proc if it’s not mounted already. Use
mount_procfs /dev/procfs /proc
to do so.
Afterwards you can run the program like this
truss -o debug /usr/local/bin/eggdrop /usr/local/etc/eggdrop.conf
This will make a file called debug in the directory you ran this from. From here it gets a bit ugly, but basically you can figure out if the binary was trying to access a library with lines such as:
access(”/lib/libtcl84.so.1”,0) ERR#2 ’No such file or directory’
And if it eventually succeeded in finding it with lines like
open(”/usr/local/lib/libtcl84.so.1”,0x0,027757764710) = 4 (0x4)
So grep open debug should give you a good hint on what needs to be in the eggdrop home directory. If you do end up making your own chroot for your own daemon, you can use truss to figure out what’s missing if it’s not starting up correctly.
Setting up your environment
Here’s a sample script to run inside your eggdrop home. In the script below, the stuff having to do with mysql is needed for my meteo.tcl script that uses an sql connection, and mysqltcl. If you don’t have mysqltcl and don’t plan on setting this stuff up you’ll have to modify the script and take those out.
chown root:wheel $EGGHOME mkdir -p $EGGHOME/usr/local/lib/eggdrop mkdir -p $EGGHOME/usr/local/share/eggdrop/scripts mkdir -p $EGGHOME/usr/local/share/doc/eggdrop mkdir -p $EGGHOME/usr/local/etc/ mkdir -p $EGGHOME/usr/local/bin/ mkdir -p $EGGHOME/lib/ mkdir -p $EGGHOME/usr/local/lib/tcl8.4/mysqltcl/ mkdir -p $EGGHOME/usr/local/lib/mysql/ mkdir -p $EGGHOME/libexec mkdir -p $EGGHOME/dev mkdir -p $EGGHOME/etc mkdir -p $EGGHOME/logs mkdir -p $EGGHOME/usr/share/locale/en_US.ISO8859-1/ mkdir -p $EGGHOME/tmp chmod 111 $EGGHOME/dev chown -R $EGGUSER usr/local/share/eggdrop logs chmod 755 $EGGHOME/usr/local/share/eggdrop/scripts chown $EGGUSER $EGGHOME/usr/local/share/eggdrop/scripts chown $EGGUSER $EGGHOME/logs chmod 777 $EGGHOME/tmp # Copy eggdrop files the port installed into our home cp -rp /usr/local/share/eggdrop/scripts/* $EGGHOME/usr/local/share/eggdrop/scripts cp -rp /usr/local/share/doc/eggdrop/* $EGGHOME/usr/local/share/doc/eggdrop cp -rp /usr/local/share/eggdrop/* $EGGHOME/usr/local/share/eggdrop cp -rp /usr/local/lib/eggdrop/* $EGGHOME/usr/local/lib/eggdrop cp -rp /usr/local/etc/eggdrop.conf $EGGHOME/usr/local/etc/eggdrop.conf # Eggdrop needs the null device mknod $EGGHOME/dev/null c 2 2 chown root:sys $EGGHOME/dev/null chown 666 $EGGHOME/dev/null # Copy other dependant libs so eggdrop can run, putting them in just /lib is sufficient cp -p /usr/local/bin/eggdrop $EGGHOME/usr/local/bin/eggdrop cp -p /lib/libm.so.2 /lib/libc.so.5 /lib/libz.so.2 /lib/libcrypt.so.2 \ /usr/local/lib/libtcl84.so.1 /usr/local/lib/mysql/libmysqlclient.so.12 \ /usr/local/lib/libtcl84.so.1 /usr/local/lib/tcl8.4/mysqltcl/libmysqltcl.so.2 \ /usr/local/lib/mysql/libmysqlclient.so.12 $EGGHOME/lib cp -p /libexec/ld-elf.so.1 $EGGHOME/libexec cp -p /etc/localtime /etc/login.conf* /etc/resolv.conf /etc/services /etc/hosts $EGGHOME/etc cp -p /usr/share/locale/en_US.ISO8859-1/LC_CTYPE $EGGHOME/usr/share/locale/en_US.ISO8859-1/ # TCL related stuff mkdir -p /usr/local/lib/tcl8.4/encoding cp -rp /usr/local/lib/tcl8.4/* $EGGHOME/usr/local/lib/tcl8.4/ # This is totally optional, this just makes it easy to access various dirs # from the eggdrop homedir ln -s usr/local/share/eggdrop configs ln -s usr/local/share/doc/eggdrop doc ln -s usr/local/etc/eggdrop.conf eggdrop.conf ln -s usr/local/lib/eggdrop modules ln -s usr/local/share/eggdrop/scripts scripts chown -R root:wheel etc lib libexec dev bin usr/local/lib/eggdrop usr/local/share/eggdrop/scripts \ usr/local/share/doc/eggdrop usr/local/etc/eggdrop.conf tmp configs doc eggdrop.conf modules scripts
You’ll also need to copy /etc/passwd and /etc/group to your /home/eggdrop/etc/ below are samples:
# cat /home/eggdrop/etc/passwd root:*:0:0:Charlie &:/root:/usr/local/bin/zsh eggdrop:*:1001:1001:Scrambled:/home/eggdrop:/sbin/nologin
# cat /home/eggdrop/etc/group wheel:*:0:root eggdrop:*:1001:
Once you are done with this, you can run the chrooted eggdrop with:
chroot -u eggdrop /home/eggdrop /usr/local/bin/eggdrop /eggdrop.conf
You may also want to modify /usr/local/etc/rc.d/eggdrop.sh to reflect this.
