Ventrilo Voice Communication Server In A Chrooted Environment On Ubuntu Feisty AMD64

This tutorial explains how to set up Ventrilo, a popular voice communication server, in a chrooted environment, and to run as a non-privileged user.  Parts of it were adapted from http://pelme.se/~andreas/code/ventrilo-chroot/.

The main reason for doing this is security. Ventrilo is distributed only in binary format, which some people distrust. A chrooted environment means the program only has access to its home directory, not the entire system. Running it like this means that if there is a bug or exploit in Ventrilo, it is not likely to compromise the rest of the system.

The tutorial was tested on Ubuntu Feisty AMD64, with the free version of Ventrilo. Instructions on what you should need to modify for 32bit systems are included at the end.

Download the latest version of the linux server from Ventrilo's website.

Install the 32bit compatibility packages:

apt-get install ia32-libs linux32

Make a directory for chrooted services:

mkdir /opt/chrooted

Create the user for ventrilo:

useradd -r /bin/false -m /opt/chrooted/ventrilo ventrilo

Create the new environment for ventrilo:

mkdir /opt/chrooted
tar zxvf ~/ventrilo_srv-2.3.1-Linux-i386.tar.gz /opt/chrooted/ventrilo
cd /opt/chrooted/ventrilo
mkdir dev
mkdir lib
mkdir lib32
mkdir lib64
mknod dev/null c 1 3
chmod 666 dev/null
chown -R ventrilo /opt/chrooted/ventrilo/*

Copy the needed libraries to Ventrilo's new environment, since it won't have access to the rest of the file system:

cp /lib32/libdl.so.2 lib32
cp /lib32/libc.so.6 lib32
cp /lib/ld-linux.so.2 lib
cp /lib/libc.so.6 lib
cp /lib64/ld-linux-x86-64.so.2

Copy the following to start.c:

/*
-------------------------------------------------------------
This version has been modified by Grant Emsley <grant @emsley.ca>
Modified on Sept 17, 2007
A program to start ventrilo in a chroot with dropped privileges
Copyright (C) 2005 Andreas Pelme  <andreas @pelme.se>
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
--- Installation -------------------------------------------------------------
* Change the UID/GID to the UID/GID your ventrilo server is intended to run as.
* Compile this file with this command:
gcc -O2 -o start start.c
-----------------------------------------------------------------------------
*/
#include <stdio.h>
#include <unistd.h>
// CHANGE THIS TO WHATEVER UID/GID YOU WANT TO RUN VENTRILO AS
#define UID 10007
#define GID 10007
// CHANGE THIS TO WHATEVER UID/GID YOU WANT TO RUN VENTRILO AS
int main(int argc, char **argv)
{
int gid = GID;
if (setgroups(1, &gid) == -1)
{
fprintf(stderr, "%s: setgroups() failed!\n", argv[0]);
return 1;
}
if (setgid(GID) == -1)
{
fprintf(stderr, "%s: setgid() failed!\n", argv[0]);
return 1;
}
if (setuid(UID) == -1)
{
fprintf(stderr, "%s: setuid() failed!\n", argv[0]);
return 1;
}
execl("/ventrilo_srv", "ventrilo_srv", "-d -fventrilo_srv", 0);
}

Edit the UID and GID lines to match the Ventrilo user.  You can find this number by running:

cat /etc/passwd | grep ventrilo

Compile the start program:

gcc -O2 -o start start.c

If that command gives you errors like "error: stdio.h: No such file or directory", run this first:

apt-get install build-essential

All we need now is a startup script. Copy this to /etc/init.d/ventrilo:

#!/bin/sh
CHROOT="/opt/chrooted/ventrilo/"
function start {
echo -n "Starting Ventrilo server..."
PIDFILE="$CHROOT/ventrilo_srv.pid"
if [ ! -e $PIDFILE ]
then
chroot $CHROOT /start $1
echo "done."
else
echo "already running!"
exit
fi
}
stop() {
echo -n "Stopping Ventrilo server..."
PIDFILE="${config}/ventrilo_srv.pid"
if [ -e $PIDFILE ]
then
kill -9 `cat $PIDFILE` > /dev/null
rm -f $PIDFILE
echo "done."
else
echo "not running!"
exit
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload|force-reload)
stop
sleep 1
start
;;
*)
echo "Usage: $0 start|stop|restart|reload|force-reload"
exit 1
;;
esac

Edit ventrilo_srv.ini with whatever settings you need. Check their website for the documentation on that.

Set the script to run when the server is started:

update-rc.d ventrilo defaults

That's it. To start the server, run:

/etc/init.d/ventrilo start

 

32bit Linux

If you are on 32bit linux, you will need to change the following steps:

  • Don't install the 32bit compatibility packages.
  • Don't make the lib32 or lib64 directories.
  • Don't copy any of the libraries until the end of the installation.
  • Instead of installing the libraries above, run:
ldd ventrilo_srv

Any file in there that has something on the right side of the arrow has to be copied to the same directory in /opt/chrooted/ventrilo/lib.

Do the same thing for the start command, and again copy the files to the lib directory:

ldd start
Share this page:

5 Comment(s)