Chrooting an Stunnel daemon
How to chroot an Stunnel daemon
Below is a copy of a document provided by
Dave Lugo available at
http://www.etherboy.com/stunnel/stunnelchroot.
DISCLAIMER: If you damage your system, it's not my fault.
This example is for:
stunnel running chrooted, as a daemon
listening on 993, remote is localhost:143 (local imap)
These instructions are what worked for me on a Redhat 6.0
system. Adjust for your system as necessary.
1) Build and install OpenSSL per the instructions located
here:
http://www.octaldream.com/scottm/talks/ssl/opensslca.html
2) Download and build stunnel. You can download stunnel
from www.stunnel.org
./configure
Then edit the Makefile and change piddir so that:
piddir=/var/
make
make install
3) Create the chroot area directory structure
mkdir /usr/local/stunnel
cd /usr/local/stunnel
mkdir cert dev etc lib sbin var
4) Populate the lib dir with what's needed
cd /usr/local/stunnel/lib
cp /lib/ld-2.1.1.so .
ln -s ld-2.1.1.so ld-linux.so.2
cp /lib/libc-2.1.1.so .
ln -s libc-2.1.1.so libc.so.6
cp /lib/libnsl-2.1.1.so .
ln -s libnsl-2.1.1.so libnsl.so.1
cp /lib/libnss_files-2.1.1.so .
ln -s libnss_files-2.1.1.so libnss_files.so.2
cp /lib/libnss_nis-2.1.1.so .
ln -s libnss_nis-2.1.1.so libnss_nis.so.2
cp /lib/libpthread-0.8.so .
ln -s libpthread-0.8.so libpthread.so.0
cp /lib/libutil-2.1.1.so .
ln -s libutil-2.1.1.so libutil.so.1
strip *
5) Create a urandom device file in the chroot area.
cd /usr/local/stunnel/dev
mknod -m 644 urandom c 1 9
.
6) Create an 'stunnel' user and 'stunnel' group in the /etc/passwd
and /etc/group, and setup chrooted versions of those files. Also
chgrp/chmod the chrooted var dir, so the stunnel user can write
its pid file.
Make sure the UID/GID you use are unique, these are the lines
I used:
echo "stunnel:x:27:27:stunnel user:/usr/local/stunnel" >> /etc/passwd
grep stunnel /etc/passwd > /usr/local/stunnel/etc/passwd
echo "stunnel::27:stunnel" >> /etc/group
grep stunnel /etc/group > /usr/local/stunnel/etc/group
chgrp stunnel /usr/local/stunnel/var
chmod g+w /usr/local/stunnel/var
7) Add a few more things to the etc dir.
echo "127.0.0.1 localhost localhost.localdomain" \
> /usr/local/stunnel/etc/hosts
This example is for stunnel listening on 993, remote is localhost:143
(the local imap server). Change the 'ALL' in hosts.allow as needed for
your security needs.
echo "localhost.imap: ALL" > /usr/local/stunnel/etc/hosts.allow
echo "ALL: ALL" > /usr/local/stunnel/etc/hosts.deny
echo "imap2 143/tcp imap" > /usr/local/stunnel/etc/services
8) Copy the stunnel binary to the sbin directory
cd /usr/local/stunnel/sbin
cp `which stunnel` .
strip stunnel
chmod 700 stunnel
9) Setup the certificate in the chroot area.
Remove the passphrase from your certificate, per the instructions
here:
http://www.octaldream.com/scottm/talks/ssl/stunnel.html
Then copy it over:
cp /usr/local/stunnel/cert/mycert.pem
chmod 600 /usr/local/stunnel/cert/mycert.pem
10) If you want logging, either pass a "-a ..." option to syslog via
its init script, or use holelogd. This is left as an exercise
for the reader :)
11) Prepare an init script. One is provided below.
#!/bin/sh
#
# stunnel Start/Stop the stunnel daemons
#
# description: stunnel is a script that runs stunnel daemons
# version 1.00
#
# chkconfig: 345 40 60
# processname: stunnel
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
start)
echo -n "Starting stunnel services: "
daemon chroot /usr/local/stunnel /sbin/stunnel \
-s stunnel -g stunnel -p /cert/mycert.pem \
-d 993 -r localhost:imap
echo
;;
stop)
echo -n "Stopping stunnel services: "
killproc stunnel
echo
;;
status)
status stunnel
;;
restart)
/etc/rc.d/init.d/stunnel stop
/etc/rc.d/init.d/stunnel start
;;
*)
echo "Usage: stunnel {start|stop|status|restart}"
exit 1
esac
exit 0
|
