Tip of the day: Exempt your IP address from bans, just in case you or a fellow IRCOp accidentally GLINES you.

Using AppArmor with UnrealIRCd

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

UnrealIRCd 4.0.16 and later ship with an AppArmor profile that you can install.

Why use it?

AppArmor allows you to fine-tune what files can be accessed by a process. If you enable this for UnrealIRCd and later some security vulnerability would be discovered then AppArmor would limit an attackers abilities. For example, the attacker would be unable to execute any programs or read other files in the home directory, etc.

AppArmor is installed by default on Ubuntu. It is also available as an option on a number of other distributions.

How to install

First, become root (sudo -i).

Copy and edit the policy

In the UnrealIRCd tarball there is a file extras/security/apparmor/unrealircd. Copy this to the /etc/apparmod.d/ directory: 

cp extras/security/apparmor/unrealircd /etc/apparmor.d/

Now, modify the file /etc/apparmor.d/unrealircd with an editor. You should only need to modify this line: 

# Change the pathname of your UnrealIRCd executable here:
/home/ircd/unrealircd/bin/unrealircd {

Change this to the account you are using and where you have UnrealIRCd installed. Of course, if you are using the account ircd and your binary is in /home/ircd/unrealircd/bin/unrealircd then you can leave it as-is.
IMPORTANT: Be sure to provide the path the bin/unrealircd binary (eg: /home/xyz/unrealircd/bin/unrealircd) and NOT the unrealircd script (eg: /home/xyz/unrealircd/unrealircd)

Activate the policy

To activate the apparmor policy, run: 

apparmor_parser /etc/apparmor.d/unrealircd

Or: 

/etc/init.d/apparmor restart

Restart UnrealIRCd

Now try to (re)start your UnrealIRCd. Naturally, do this from the user account, NOT as root. 

./unrealircd start

Disabling the policy

If you think you broke something then you can temporarily run this to deactivate the policy: 

apparmor_parser --remove /etc/apparmor.d/unrealircd


Or to permanently disable the policy:
Move or delete /etc/apparmor.d/unrealircd and run /etc/init.d/apparmor restart

Harmless log messages

You may see some messages like this in the syslog: 

Nov 25 09:40:16 machine kernel: [3080084.104059] audit: type=1400 audit(1511599216.755:11475): apparmor="DENIED" operation="chmod" profile="/home/ircd/unrealircd/bin/unrealircd" name="/home/ircd/unrealircd/conf/unrealircd.conf" pid=12661 comm="unrealircd" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

These are harmless (note the operation="chmod") and you'll see them upon boot and on each /REHASH.

TODO: get rid of these? ;)

Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Using_AppArmor_with_UnrealIRCd&oldid=12093"