These scripts are used to run a dedicated Quake 3 server (q3ded) inside a chroot environment.

How it works

These scripts are a first-stage loader and a second-stage loader. The first-stage loader changes to a non-root user, executes the chroot() and then calls the second-stage loader. The second-stage loader contains the command-line arguments to q3ded. All it does is run q3ded with the appropriate arguments.

Both these scripts are quite simple, and could easily be combined into one. The reason that I use two scripts is that I have the first-stage loader run as root during the boot process, so that script is root-owned and mode 600. The second-stage loader runs as an unprivileged user in a chroot jail, so it is safe to allow non-root users to modify it.

Example Installation

My system is Debian 3.0 (woody); locations may need to be modified for other systems.

  1. Install Quake 3 and the dedicated server into /usr/local/q3. It is assumed that you know how to do this; installing Quake 3 is outside the scope of this document.
  2. Download and install uchroot by Jason McBrayer. It's like the standard chroot, but it is installed setuid root and drops privileges immediately after executing the chroot() system call.
  3. Add the user "q3" to your system. This is the user that the server will run as. You should not run the server as root since anyone that can take over the server can run commands as the user that the server runs as. If this user is root, the attacker can break out of the chroot jail and have full access to your entire system.
  4. (optional) Add the "q3admin" group to your system and place into it the users responsible for adminstering the server.
  5. Make the files in /usr/local/q3 owned by user q3. If you created the q3admin group, put the files in group q3admin.
  6. Place the first-stage loader script into /etc.rc.boot. Make sure it is owned by root and mode 755, if not 700.
  7. Place the second-stage loader script into /usr/local/q3. If you used different paths than this example, edit the scripts and replace the paths with the appropriate ones for your system.
  8. Run /etc/rc.boot/quake3 to start the server.
  9. (optional) Reboot to test the installation of the scripts.

The dedicated server (q3ded) should now be running as user q3 and unable to access files outside of /usr/local/q3. This is probably the most secure setup available for running a dedicated Quake server.


Files you'll need:

Last modified July 21 2003 by Samuel N. Merritt (