Installing Gopherbot

Up-to-date with v2.6

If you want to run Gopherbot directly on a Linux host / VM, you can download a release and skip down to installing the archive.

Building from Source

Requirements:

  • A recent (1.18+) version of Go
  • Standard build utilities; make, tar, gzip
  • A Linux system to build on that matches your target deployment host

Steps:

  1. Clone the Gopherbot repository: git clone https://github.com/lnxjedi/gopherbot.git
  2. make dist in the repository root; this will compile the binary and create the gopherbot-linux-amd64.tar.gz archive

Installing the Archive

  1. Extract the downloaded or built archive in /opt to create /opt/gopherbot, e.g.:
[root]# cd /opt
[opt]# tar xzvf /path/to/gopherbot/gopherbot-linux-amd64.tar.gz
  1. (Optional) Also as root, make the gopherbot binary setuid nobody (see below):
[opt]# cd gopherbot
[gopherbot]# ./setuid-nobody.sh

The trivial gb-install-links script will create a set of symlinks to executables. For instance, if $HOME/bin is in your $PATH, you could:

$ /opt/gopherbot/gb-install-links $HOME/bin

See Appendix A for a description of the contents of the installation archive.

Privilege Separation

Gopherbot need never run as root; all of it's privileges derive from the collection of encrypted secrets that a given robot collects. However, given that chat bots may use 3rd-party command plugins, Gopherbot can be installed setuid nobody. This will cause the robot to run with a umask of 0022, and external plugins will run by default as real/effective user nobody. Since Gopherbot child processes do not inherit environment from the parent daemon, this effectively prevents any potential access to the GOPHER_ENCRYPTION_KEY, and any ability to modify the robot's running environment.

NOTE! Be wary of a false sense of security! The process still retains it's primary GID and supplementary groups, so if e.g. your robot unix user belongs to the wheel group, external scripts running as nobody will still be able to sudo. If you want your Robot to sudo, you should add the robot's primary UID to sudoers. Privilege separation is just a simple means of providing additional hardening for your robot's execution environment.