[icecast] icecast 2.0.0 chroot problem

David Kramer DKramer at reflect.com
Fri Feb 20 21:14:55 UTC 2004 


Hmm Im not too familar with RH AS, I have been using Redhat since 5.2
though, and in my experiences its better to be safer than sorry.
Essentially what you are allowing is the icecast user the ability to login
to a shell, which can lead to disaster.  Just a piece of advice, I would
disable the shell on that user!!  Good Luck and let me know if you have any
other questions on getting Icecast up.

DK

> -----Original Message-----
> From: Jan-Kees Fels [mailto:jankees at familyfels.com]
> Sent: Friday, February 20, 2004 12:06 PM
> To: icecast at xiph.org
> Subject: RE: [icecast] icecast 2.0.0 chroot problem
> 
> 
> Hi,
> 
> As a relative newby to linux I figured it out myself that the 
> security on
> the dirs, as you mentioned. had to be opened. As far as the 
> shell login, I
> use the user "icecast" and have the following setup:
> icecast:x:503:505::/home/icecast:/bin/bash
> 
> I believe that it might be wiser to indeed disable the login 
> of icecast, but
> on my redhat 3.0 as machine it is not required in order to perform the
> "chroot" operation.
> 
> JK
> 
> -----Original Message-----
> From: owner-icecast at xiph.org [mailto:owner-icecast at xiph.org] 
> On Behalf Of
> David Kramer
> Sent: Friday, February 20, 2004 7:35 PM
> To: 'icecast at xiph.org'
> Subject: RE: [icecast] icecast 2.0.0 chroot problem
> 
> Not sure if this has been fully answered yet, but in order for chroot
> services to run effectively you will need to change the 
> ownership of all
> directories and files to, in this case, nobody:nobody.  If 
> you are not very
> familar with running chroots, you will also need to disable 
> the shell login
> within your /etc/passwd file ex like this:
> 
> icecast:x:504:505::/opt/icecast:/sbin/nologin
> 
> In this case I set the home dir to my chroot directory where 
> Icecast begins,
> but also disable the shell login.  Im really anal about my users and
> services matching so I created a specific user for running 
> icecast.  In your
> icecast.xml file you will also need to set your base 
> directory to match your
> chroot:
> 
>          <!-- basedir is only used if chroot is enabled -->
>         <basedir>/opt/icecast</basedir>
> 
>         <!-- Note that if <chroot> is turned on below, these 
> paths must both
>              be relative to the new root, not the original root -->
>         <logdir>/logs</logdir>
>         <webroot>/share/icecast/web</webroot>
>         <adminroot>/share/icecast/admin</adminroot>
>         <pidfile>/share/icecast/icecast.pid</pidfile>
> 
> 
> Let me know if you need anymore help setting this up.  This 
> seems to be one
> aspect of icecast I found rather easy for myself.  Now if I 
> can just get it
> connected to a DSP!!!
> 
> Cheers,
> 
> David
> 
> 
> > -----Original Message-----
> > From: Geoff Shang [mailto:gshang at pacific.net.au]
> > Sent: Friday, February 20, 2004 5:59 AM
> > To: icecast at xiph.org
> > Subject: RE: [icecast] icecast 2.0.0 chroot problem
> > 
> > 
> > On Fri, 20 Feb 2004, Jan-Kees Fels wrote:
> > 
> > > I got rid of the following lines number 3 and 8 
> hereunder. They were
> > > present in the example xml and I think that they don't belong here
> > > because icecast won't run if chroot is not being used........
> > 
> > Lines 3 and 8 specified the beginning and end of a commented 
> > out section.
> > The chroot section is commented out since you only need to 
> > configure it if
> > you are running it as root (you're encouraged to run it as 
> > someone else)
> > and should be edited before use at any rate.
> > 
> > Geoff.
> > 
> > 
> > --- >8 ----
> > List archives:  http://www.xiph.org/archives/
> > icecast project homepage: http://www.icecast.org/
> > To unsubscribe from this list, send a message to 
> > 'icecast-request at xiph.org'
> > containing only the word 'unsubscribe' in the body.  No 
> > subject is needed.
> > Unsubscribe messages sent to the list will be ignored/filtered.
> > 
> --- >8 ----
> List archives:  http://www.xiph.org/archives/
> icecast project homepage: http://www.icecast.org/
> To unsubscribe from this list, send a message to 
> 'icecast-request at xiph.org'
> containing only the word 'unsubscribe' in the body.  No 
> subject is needed.
> Unsubscribe messages sent to the list will be ignored/filtered.
> 
> 
> --- >8 ----
> List archives:  http://www.xiph.org/archives/
> icecast project homepage: http://www.icecast.org/
> To unsubscribe from this list, send a message to 
> 'icecast-request at xiph.org'
> containing only the word 'unsubscribe' in the body.  No 
> subject is needed.
> Unsubscribe messages sent to the list will be ignored/filtered.
> 
--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.

More information about the Icecast mailing list