Irssi in a chroot environment

Posted on by a blogger

Here is a default set of directories etc to setup for a generic chroot.  This example, will be for irssi, so I’ll put that under /chroot/irssi .  Additionally, the /chroot should be a mounted FS (seperate Partition).  Create a User/Group for irssi, and use that too!

Make the User/Group below unique.  Something which nobody else in the system would use.  If something was owned by “nobody” like it is say for Apache2, if the system is compromised, anything using that id would be available, which could help break out of jail.

groupadd my_irssi
useradd -c "Irssi IRC Server" -d /dev/null -g my_irssi -s /bin/false my_irssi

mkdir /chroot/irssi/dev
mkdir /chroot/irssi/lib
mkdir /chroot/irssi/etc
mkdir -p /chroot/irssi/usr/sbin
mkdir /chroot/irssi/usr/lib
mkdir /chroot/irssi/usr/libexec
mkdir -p /chroot/irssi/var/run
mkdir -p /chroot/irssi/var/log/irssi  (Not sure if this one is needed)
mkdir -p /chroot/httpd/home/irssi

Now set the permissions on your directory structure: (NOTE:  Has to be root, for chroot to work properly, and not have to worry about jail-break).

chown -R root /chroot/irssi
chmod -R 0755 /chroot/irssi
chmod 750 /chroot/irssi/var/log/irssi

Create the null device.

mknod /chroot/irssi/dev/null c 1 3
chown root:sys /chroot/irssi/dev/null
chmod 666 /chroot/irssi/dev/null
sudo killall irssi

Copy the .irssi from your home directory…
cp ~/.irssi /chroot/irssi/home/my_irssi/
cp /usr/bin/irssi /chroot/irssi/usr/bin/

Get list of the dynamic shared libraries required…

ldd /usr/bin/irssi
linux-vdso.so.1 =>  (0x00007fff589ff000)
libperl.so.5.10 => /usr/lib/libperl.so.5.10 (0x00007f4ee4f06000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f4ee4d02000)
libm.so.6 => /lib/libm.so.6 (0x00007f4ee4a7f000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007f4ee4863000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f4ee462c000)
libgmodule-2.0.so.0 => /usr/lib/libgmodule-2.0.so.0 (0x00007f4ee4428000)
librt.so.1 => /lib/librt.so.1 (0x00007f4ee4220000)
libglib-2.0.so.0 => /lib/libglib-2.0.so.0 (0x00007f4ee3f44000)
libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f4ee3cee000)
libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x00007f4ee394d000)
libncurses.so.5 => /lib/libncurses.so.5 (0x00007f4ee3707000)
libc.so.6 => /lib/libc.so.6 (0x00007f4ee33a5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f4ee528a000)
libpcre.so.3 => /lib/libpcre.so.3 (0x00007f4ee3175000)
libz.so.1 => /usr/lib/libz.so.1 (0x00007f4ee2f5d000)

Copy those into the chroot jail, using same Directory structure… Example:  cp  /usr/lib/libperl.so.5.10 /chroot/irssi/usr/lib/

Find anything missing for irssi…

find / -name irssi
And be sure to copy any of those relevant files over….

Afterwords, you need to copy certain libraries for standard networking functionality:

cp /lib/libnss_compat* /chroot/irssi/lib/
cp /lib/libnss_dns* /chroot/irssi/lib/
cp /lib/libnss_files* /chroot/irssi/lib/
cp /lib/libnsl* /chroot/irssi/lib/

Also, copy the /etc/passwd and /etc/group files, then edit them so that only the created user/group are there.

/etc/passwd:
my_irssi:x:12347:12348:Irssi IRC Server:/dev/null:/bin/false

/etc/group:
my_irssi:x:12347:

NOTE:  The shell /bin/false should be copied over as well !
Next, copy some config files over…

cp /etc/hosts /chroot/irssi/etc/
cp /etc/host.conf /chroot/irssi/etc/
cp /etc/resolv.conf /chroot/irssi/etc/
cp /etc/nsswitch.conf /chroot/irssi/etc/

Extra security, set the immutable flag (so files can’t be changed etc, even by Root).

chattr +i /chroot/irssi/etc/hosts
chattr +i /chroot/irssi/etc/host.conf
chattr +i /chorrot/irssi/etc/resolv.conf
chattr +i /chroot/irssi/etc/nsswitch.conf

In order that the log files be written with the correct time, you need to check /etc/localtime. localtime is a symlink to a file in /usr/share/zoneinfo. To find out which file, run ls -l /etc/localtime and copy the appropriate file to /chroot/irssi/etc/localtime.

By default, syslogd monitors log files only in /var/log. The chrooted irssi daemon will write its logs to /chroot/irssi/var/log, however, so you need to tell syslogd to monitor this directory too. To change this you need to edit the appropriate startup script, /etc/rc.d/rc.syslog or /etc/rc.d/init.d/syslog, depending upon your distro.

For /etc/rc.d/rc.syslog change daemon syslogd -m 0 to daemon syslogd -m 0 -a /chroot/irssi/dev/log.

For /etc/rc.d/rc.syslog change:

echo -n ” /usr/sbin/syslogd”
/usr/sbin/syslogd

to:

echo -n ” /usr/sbin/syslogd”
/usr/sbin/syslogd -m 0 -a /chroot/irssi/dev/log

It is a good idea to create the necessary log files and set the appendable bit on them too.

touch /chroot/irssi/var/log/irssi/access_log
touch /chroot/irssi/var/log/irssi/error_log
chmod 600 /chroot/irssi/var/log/irssi/*
chattr +a /chroot/irssi/var/log/irssi/*

Finally, you need to change the irssi startup script to run the chrooted irssi. Depending on your distro, open up /etc/rc.d/rc.irssi or /etc/rc.d/init.d/hirssi and change the command that starts the irssi daemon to read /usr/sbin/chroot /chroot/irssi/ /usr/sbin/irssi.

That should do it… Needs testing.  This info was initially used for chrooting apache2.  Info snaked from here.

Category: Linux