View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004743 | unreal | installing | public | 2016-08-30 00:23 | 2016-09-29 20:11 |
| Reporter | _NSAKEY | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | wont fix | ||
| Product Version | 4.0.5 | ||||
| Summary | 0004743: CHROOTDIR and IRC_USER/IRC_GROUP is broken. | ||||
| Description | A ticket was never made about this issue: https://forums.unrealircd.org/viewtopic.php?t=8533 | ||||
| Steps To Reproduce | Define CHROOTDIR, IRC_USER, and IRC_GROUP. It's busted on 4.x. | ||||
| Additional Information | It's also busted on 3.2.x, but breaks more silently. The compile will complete, but the resulting binary isn't capable of starting the ircd. I care considerably less about this, since 3.2.x is going to be dead in a few months anyway. | ||||
| 3rd party modules | |||||
|
|
I made a mistake in filing this report. The references to IRC_USER and IRC_GROUP are unrelated and should be ignored. |
|
|
Regarding you comment: You do define IRC_USER and IRC_GROUP, right? Running chrooted with root privileges isn't very useful as root can easily break out of the chroot (and such a configuration is thus is refused by config.h) Anyway, assuming chroot is indeed broken. Will have to take a look at it. It got broken with all the direcotry restructuring I think. |
|
|
Yes, I do. My follow-up comment was inspired by the fact that I tried defining IRC_USER and IRC_GROUP without setting CHROOTDIR. |
|
|
Ahh, right :) I'm thinking about the best approach here. Presumably the paths would all need to become the "chrooted paths", such as /conf/ and not /home/xyz/conf/. Except... some.. I guess.. like the path to the IRCd binary to launch the thing in the first place :). I'll see if I can have a go this week and put it in 4.0.7, it shouldn't be hard and would like to see this fixed. If I don't get to it then it'll be something for later. |
|
|
I've been working on a patch for over an hour and it was quickly becoming very ugly. Mostly due to buildtime / runtime path differences. Knowing that chrootdir is only used on 22 out of the 4636 UnrealIRCd servers on the Internet (0.47%) I'm going to remove it since it's too messy / not worth it. For IRC_USER/IRC_GROUP you can use something like start-stop-daemon. For limiting the things the IRCd can do - an alternative to chrooting - I would use something like AppArmor (or SELinux, GRsecurity, ..) which likely is even more secure too. Sorry for this but, well... see above :p |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2016-08-30 00:23 | _NSAKEY | New Issue | |
| 2016-08-30 00:54 | _NSAKEY | Note Added: 0019400 | |
| 2016-09-02 09:39 | syzop | Assigned To | => syzop |
| 2016-09-02 09:39 | syzop | Status | new => acknowledged |
| 2016-09-02 09:41 | syzop | Note Added: 0019401 | |
| 2016-09-03 04:37 | _NSAKEY | Note Added: 0019403 | |
| 2016-09-27 07:57 | syzop | Note Added: 0019422 | |
| 2016-09-29 20:11 | syzop | Note Added: 0019430 | |
| 2016-09-29 20:11 | syzop | Status | acknowledged => closed |
| 2016-09-29 20:11 | syzop | Resolution | open => wont fix |
