Ventrilo Voice Communication Server In A Chrooted Environment On Ubuntu Feisty AMD64
This tutorial explains how to set up Ventrilo, a popular voice communication server, in a chrooted environment, and to run as a non-privileged user. Parts of it were adapted from http://pelme.se/~andreas/code/ventrilo-chroot/.
The main reason for doing this is security. Ventrilo is distributed only in binary format, which some people distrust. A chrooted environment means the program only has access to its home directory, not the entire system. Running it like this means that if there is a bug or exploit in Ventrilo, it is not likely to compromise the rest of the system.
The tutorial was tested on Ubuntu Feisty AMD64, with the free version of Ventrilo. Instructions on what you should need to modify for 32bit systems are included at the end.
Download the latest version of the linux server from Ventrilo's website.
Install the 32bit compatibility packages:
apt-get install ia32-libs linux32
Make a directory for chrooted services:
mkdir /opt/chrooted
Create the user for ventrilo:
useradd -r /bin/false -m /opt/chrooted/ventrilo ventrilo
Create the new environment for ventrilo:
mkdir /opt/chrooted
tar zxvf ~/ventrilo_srv-2.3.1-Linux-i386.tar.gz /opt/chrooted/ventrilo
cd /opt/chrooted/ventrilo
mkdir dev
mkdir lib
mkdir lib32
mkdir lib64
mknod dev/null c 1 3
chmod 666 dev/null
chown -R ventrilo /opt/chrooted/ventrilo/*
Copy the needed libraries to Ventrilo's new environment, since it won't have access to the rest of the file system:
cp /lib32/libdl.so.2 lib32
cp /lib32/libc.so.6 lib32
cp /lib/ld-linux.so.2 lib
cp /lib/libc.so.6 lib
cp /lib64/ld-linux-x86-64.so.2
Copy the following to start.c:
/* ------------------------------------------------------------- This version has been modified by Grant Emsley <grant @emsley.ca> Modified on Sept 17, 2007 A program to start ventrilo in a chroot with dropped privileges Copyright (C) 2005 Andreas Pelme <andreas @pelme.se> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. --- Installation ------------------------------------------------------------- * Change the UID/GID to the UID/GID your ventrilo server is intended to run as. * Compile this file with this command: gcc -O2 -o start start.c ----------------------------------------------------------------------------- */ #include <stdio.h> #include <unistd.h> // CHANGE THIS TO WHATEVER UID/GID YOU WANT TO RUN VENTRILO AS #define UID 10007 #define GID 10007 // CHANGE THIS TO WHATEVER UID/GID YOU WANT TO RUN VENTRILO AS int main(int argc, char **argv) { int gid = GID; if (setgroups(1, &gid) == -1) { fprintf(stderr, "%s: setgroups() failed!\n", argv[0]); return 1; } if (setgid(GID) == -1) { fprintf(stderr, "%s: setgid() failed!\n", argv[0]); return 1; } if (setuid(UID) == -1) { fprintf(stderr, "%s: setuid() failed!\n", argv[0]); return 1; } execl("/ventrilo_srv", "ventrilo_srv", "-d -fventrilo_srv", 0); }
Edit the UID and GID lines to match the Ventrilo user. You can find this number by running:
cat /etc/passwd | grep ventrilo
Compile the start program:
gcc -O2 -o start start.c
If that command gives you errors like "error: stdio.h: No such file or directory", run this first:
apt-get install build-essential
All we need now is a startup script. Copy this to /etc/init.d/ventrilo:
#!/bin/sh CHROOT="/opt/chrooted/ventrilo/" function start { echo -n "Starting Ventrilo server..." PIDFILE="$CHROOT/ventrilo_srv.pid" if [ ! -e $PIDFILE ] then chroot $CHROOT /start $1 echo "done." else echo "already running!" exit fi } stop() { echo -n "Stopping Ventrilo server..." PIDFILE="${config}/ventrilo_srv.pid" if [ -e $PIDFILE ] then kill -9 `cat $PIDFILE` > /dev/null rm -f $PIDFILE echo "done." else echo "not running!" exit fi } case "$1" in start) start ;; stop) stop ;; restart|reload|force-reload) stop sleep 1 start ;; *) echo "Usage: $0 start|stop|restart|reload|force-reload" exit 1 ;; esac
Edit ventrilo_srv.ini with whatever settings you need. Check their website for the documentation on that.
Set the script to run when the server is started:
update-rc.d ventrilo defaults
That's it. To start the server, run:
/etc/init.d/ventrilo start
32bit Linux
If you are on 32bit linux, you will need to change the following steps:
- Don't install the 32bit compatibility packages.
- Don't make the lib32 or lib64 directories.
- Don't copy any of the libraries until the end of the installation.
- Instead of installing the libraries above, run:
ldd ventrilo_srv
Any file in there that has something on the right side of the arrow has to be copied to the same directory in /opt/chrooted/ventrilo/lib.
Do the same thing for the start command, and again copy the files to the lib directory:
ldd start