Skip to content

Instantly share code, notes, and snippets.

@bennet0496

bennet0496/chroot_environment.md

Last active April 3, 2018 12:59
Show Gist options
  • Save bennet0496/cd5cf754c1b5af849455e026658873c7 to your computer and use it in GitHub Desktop.
Save bennet0496/cd5cf754c1b5af849455e026658873c7 to your computer and use it in GitHub Desktop.
Download ZIP
"wrapper" for TS3 Server chroot() with systemd, because when starting the Server inside a chroot() with systemd, systemd attaches file-descriptor 0 of the service to /dev/null on the hostsystem, which would nullify the safety and security benefits.
Raw
chroot_environment.md

Setup for the chroot-Enviornment

Required Libraries (/path/to/chroot/lib)

  • ld-linux-x86-64.so.2
  • libc.so.6
  • libGeoIP.so.1
  • libm.so.6
  • libnss_files.so.2
  • libresolv.so.2
  • libssl.so.1.0.0
  • libts3db_mariadb.so
  • libcrypto.so.1.0.0
  • libdl.so.2
  • libmariadb.so.2
  • libnss_dns.so.2
  • libpthread.so.0
  • librt.so.1
  • libtinfo.so.5
  • libz.so.1

symlink lib64 to lib

Device nodes

mknod -m 666 /path/to/chroot/dev/null c 1 3
mknod -m 666 /path/to/chroot/dev/zero c 1 5
mknod -m 444 /path/to/chroot/dev/random c 1 8
mknod -m 444 /path/to/chroot/dev/urandom c 1 9

mount a tempfs to /path/to/chroot/dev/shm

etc-Files

You need: host.conf, hosts and resolv.conf

Raw
ts3server.service
[Unit]
Description=Teamspeak 3 Server
After=syslog.target network.target
[Service]
RootDirectory=/opt/teamspeak3
WorkingDirectory=/server
Type=simple
PIDFile=/var/run/ts3server.pid
ExecStart=/server/ts3server_start
ExecStop=/usr/bin/pkill -F /var/run/ts3server.pid
Restart=always
RootDirectoryStartOnly=yes
User=teamspeak
Group=nogroup
SyslogIdentifier=ts3server
[Install]
WantedBy=multi-user.target
Raw
ts3server_startup.c
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
/*
* Copyright 2017 Bennet Becker <bennet@becker-dd.de>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
* deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
* sell copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
* OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
void main(int argc, const char* argv[]) {
char *const parm[] = {"/server/ts3server", "inifile=/server/ts3server.ini", NULL};
close(0);
open("/dev/null", O_RDONLY);
execv("/server/ts3server", parm);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment