This is a very blunt re-done "copy" from the temporary
SearchIRC forum but I think it has its use so here we go again (and please guys, try not to lose all these posts this time
).
Solaris is an Unix operating system developed by
Sun Microsystems and has recently been made available for free. No matter if you wish to use it privatly or on a commercial basis. As a small sidenote; even additional software, like a complete network suite ((web)mail, web, application, portal, calendar, identity -server completely free) or a 'remote desktop' are now freely available.
Due to its enhanced security I think its an ideal platform to use for IRC services. And with the latest release you have many options to fully secure and lock down your services from your other processes. You can even reduce the otherwise increased risks of running unstable to virtually the same levels as the stable Anope release. But thats going ahead of things.
First thing to do is to check what you have and want. Solaris ships with all the components you may need for Anope (gcc compiler, MySQL, libraries, etc) but because some things are located on other locations an installer like Anope's might have some problems finding, for example, the MySQL include files or libraries. When this happens there is no need to panic.. Just check the "config.log" file which is being created to see what command line parameters 'Config' used to start the 'configure' script. Then check the configure helpscreen (./configure --help | less) to see what parameters you'd need to specify MySQL and you'll be all set.
Installing and configuring Anope really isn't much different from other environments but it starts to become interesting when looking at a way to automaticly (re)start Anope. On Linux you may have setup an rc.d file in /etc/init.d and a cronjob to check the status of the services. On Solaris there no longer is any need for that, if you're going to utilize the new
Service Management Facility (SMF). This service has been setup to replace the old rc.d scriptfile structure in order to offer a more robust and versatile way to manage and protect your services. This is done through so called
manifests which are basicly XML files which describe a certain service in detail.
A big advantage over the regular rc.d scripts is that SMF will make sure that your service remain available. So in the event of a crash it will be detected by SMF after which it will re-start the service. Ofcourse this can also give you some disadvantages; for example when an oper needs to shutdown the services remotly and wishes to do so through OperServ. If you set things up in a default way then the services will go down, only to be restarted again. It can be overcome, but thats beyond the scope of this post.
Another very big advantage are the so called
privileges. You can somewhat compare this system with
SELinux. In short; this system can be used to leave the old Unix model where you have one admin user (root) which has all full control and regular useraccounts. Instead you can grant a regular account control over a certain service. But the interesting part is that you can also
deny access to certain features. Whats more; this can be done with inheritage. For example; I can create an IRC useraccount which can execute programs, but also tell the system then when it executes something that all other spawned processes won't have this privileges. On my servers I usually deny the IRC user to study other processes running on the system. For example:
$ id
uid=503(irc) gid=103(irc)
$ ps -ef | wc -l
4
$ ppriv $$
20049: -sh
flags = <none>
E: basic,!proc_info,!proc_session
I: basic,!proc_info,!proc_session
P: basic,!proc_info,!proc_session
L: basic,proc_chroot,proc_setid
$ magi:/home/peter $ id
uid=100(peter) gid=10(staff)
magi:/home/peter $ ps -ef | wc -l
133
While it isn't a good idea to blindly rely on all these features to present you with a secure environment it can make your life a lot easier when it comes to maintaining such services.
To close down let me present you with a specific example of a manifest file which I use to control my Anope services. I'll do so in the next post since I'm not sure how long a message may get on this forum...