Re: [vox] quake3 serving from behind a firewall

To: vox@listsMAPS.lugod.org
Subject: Re: [vox] quake3 serving from behind a firewall
From: Samuel Merritt <snmerritMAPSt@ucdavis.edu>
Date: Fri, 5 Apr 2002 15:22:34 -0800
Delivered-to: lugod@livepenguin.com
Delivered-to: vox@livepenguin.com
In-reply-to: <Pine.LNX.4.21.0204050035400.20171-100000@nerds.passwall.com>
List-help: <mailto:vox-request@lists.lugod.org?subject=help>
List-id: lugod's free for all mailing list <vox.lists.lugod.org>
List-post: <mailto:vox@lists.lugod.org>
List-subscribe: <http://lists.lugod.org/mailman/listinfo/vox>,<mailto:vox-request@lists.lugod.org?subject=subscribe>
List-unsubscribe: <http://lists.lugod.org/mailman/listinfo/vox>,<mailto:vox-request@lists.lugod.org?subject=unsubscribe>
References: <20020405071654.GA18092@dirac.org> <Pine.LNX.4.21.0204050035400.20171-100000@nerds.passwall.com>
Reply-to: voxMAPS@lists.lugod.org
Sender: MAPSvox-admin@lists.lugod.org
User-agent: Mutt/1.3.27i

On Fri, Apr 05, 2002 at 12:50:23AM -0800, ME wrote:
> There have been a slew of security problems with running quake
> servers. (This includes DDoS). No need to explain, the hisory is
> documented "out there."
> 
> Make sure your remain current on versions, and look into running
> automated software to detect certain kinds of attacks and kick/ban users.
> 
> Also, strongly suggest you set it to run as nobody,nogroup in a chrooted
> env. This raises the bar enough to keep most potential exploits away.

I've done this before. There's a nifty little program called uchroot. It's 
like chroot, but it's installed setuid root. It makes the chroot() system 
call, then drops privileges. This lets you su to an unprivileged user, 
then do the chroot, thus keeping su out of the chrooted environment. 

This way, you can keep all setuid-root binaries out of the chroot 
environment. Since only root can make the chroot() system call, this 
should keep an attacker from breaking out of the jail. 

If anyone wants the scripts I use to load Q3 as an unprivileged user in a 
chroot environment, send me mail. 

-- 
Samuel Merritt
PGP key is at http://wwwcsif.cs.ucdavis.edu/~merritt/snmerritt.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/

Attachment: pgp00001.pgp
Description: PGP signature

References:
- Re: [vox] quake3 serving from behind a firewall
  - From: Peter Jay Salzman
- Re: [vox] quake3 serving from behind a firewall
  - From: ME

Prev by Date: [vox] Minutes, photos and slides from SETI@home talk
Next by Date: Re: [vox] internal access to jabberd by name
Previous by thread: Re: [vox] quake3 serving from behind a firewall
Next by thread: Re: [vox] quake3 serving from behind a firewall
Index(es):
- Date
- Thread

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.