The other day, I was so excited to have a working IRC server on my box at home that I kinda forgot how insecure IRC was. There is a big reason why IRC is banned at my web hosting employer, since it’s so easy to hack that it represents a serious botnet risk. One of my colleagues at work revealed to me how insecure IRC was, and that it was very well known that a hacker could break through the IRC daemon to the root system and do pretty much whatever. To help secure the daemon, he challenged me to place it into a chroot jail.
“What’s a chroot jail?” I asked.
He explained that it’s a way of changing the apparent root directory for an invoked command, such that the service running under that command is isolated from the rest of the system. It runs in a separate root on its own separate set of libraries. I didn’t get it at first, but I began to grasp the concept after a little while.
Basically, chroot is a core Linux command that will change the root that a command executes under. For something like IRCd, it will start the service using a separate root directory and a separate set of function libraries that the program needs to execute its code, and it will isolate the service from the rest of the system to keep the server secure.
What an interesting challenge to set up! I had to find out which function libraries IRCd used and copy them over to a chosen root directory for my chroot jail, move over all of the /bin/bash commands to the new root, place a passwd file in the new root so that it would recognize my user, and then try to run the service. To start, I began copying all of the libs over to a particular directory, and then decided to move it around a bit.
And then disaster struck…I moved the ENTIRE primary /lib/ directory by accident……
Just so you understand what this means, it’s like someone burned all the books in the library just as I was starting to research my bachelor’s thesis. My commands stopped working, because the programs that the commands use to run could no longer reference the functions in the /lib/ folder! I didn’t realize what I’d done at first, but then the reality slowly sank in that I’d horribly, horribly broken my server! I couldn’t even move the /lib/ folder back to where it belonged to get things working again! All that work and effort and blood and sweat came rushing right up to the forefront of my mind, and I was utterly horrified…
First, I tried to see if I could mount the server hard drive on my desktop Linux system so that I could rescue the server. No matter how I tried, I couldn’t get my desktop to recognize the device, and I eventually gave up on this option. And then I remembered that I still had the install DVD image, which comes with a rescue mode! I restarted the server, inserted the DVD, and then entered the rescue mode so that I could move the libs back to where they needed to be for the system to work properly. Thank God in Heaven that I was able to do this and largely resolve the issue without any serious pain!!
Very hard lesson learned, I then continued to set up the new chroot jail, and managed to successfully get the IRC working in it. After that, I set up a couple of shell scripts executable by the root user so that I could activate and deactivate the server without any serious trouble. I’ll gladly call that a night well spent, thank you!