Tip of the day: Exempt your IP address from bans, just in case you or a fellow IRCOp accidentally GLINES you. |
Using AppArmor with UnrealIRCd
UnrealIRCd 4.0.16 and later ship with an AppArmor profile that you can install.
Why use it?
AppArmor allows you to fine-tune what files can be accessed by a process. If you enable this for UnrealIRCd and later some security vulnerability would be discovered then AppArmor would limit an attackers abilities. For example, the attacker would be unable to execute any programs or read other files in the home directory, etc.
AppArmor is installed by default on Ubuntu. It is also available as an option on a number of other distributions.
How to install
First, become root (sudo -i).
Copy and edit the policy
In the UnrealIRCd tarball there is a file extras/security/apparmor/unrealircd. Copy this to the /etc/apparmod.d/ directory:
cp extras/security/apparmor/unrealircd /etc/apparmor.d/
Now, modify the file /etc/apparmor.d/unrealircd with an editor. You should only need to modify this line:
# Change the pathname of your UnrealIRCd executable here: /home/ircd/unrealircd/bin/unrealircd {
Change this to the account you are using and where you have UnrealIRCd installed. Of course, if you are using the account ircd and your binary is in /home/ircd/unrealircd/bin/unrealircd then you can leave it as-is.
IMPORTANT: Be sure to provide the path the bin/unrealircd binary (eg: /home/xyz/unrealircd/bin/unrealircd) and NOT the unrealircd script (eg: /home/xyz/unrealircd/unrealircd)
Activate the policy
To activate the apparmor policy, run:
apparmor_parser /etc/apparmor.d/unrealircd
Or:
/etc/init.d/apparmor restart
Restart UnrealIRCd
Now try to (re)start your UnrealIRCd. Naturally, do this from the user account, NOT as root.
./unrealircd start
Disabling the policy
If you think you broke something then you can temporarily run this to deactivate the policy:
apparmor_parser --remove /etc/apparmor.d/unrealircd
Or to permanently disable the policy:
Move or delete /etc/apparmor.d/unrealircd and run /etc/init.d/apparmor restart
Harmless log messages
You may see some messages like this in the syslog:
Nov 25 09:40:16 machine kernel: [3080084.104059] audit: type=1400 audit(1511599216.755:11475): apparmor="DENIED" operation="chmod" profile="/home/ircd/unrealircd/bin/unrealircd" name="/home/ircd/unrealircd/conf/unrealircd.conf" pid=12661 comm="unrealircd" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
These are harmless (note the operation="chmod") and you'll see them upon boot and on each /REHASH.
TODO: get rid of these? ;)