pam_chroot

[root@node1 ~]# cat /etc/issue

Red Hat Enterprise Linux Serverrelease 5.8 (Tikanga)

Kernel \r on an \m

建立测试用户

[root@node1 ~]# useradd test

[root@node1 ~]# mkdir /chroot

[root@node1 ~]# export _DIR=/chroot

[root@node1 ~]# export _USER=test

创建必要的设备文件

[root@node1 ~]# mkdir -pv$_DIR/{etc,bin,dev/pts,lib,home/$_USER,proc}

[root@node1 ~]# mknod -m 644$_DIR/dev/tty1 c 4 1

[root@node1 ~]# mknod -m 644$_DIR/dev/tty2 c 4 2

[root@node1 ~]# mknod -m 644 $_DIR/dev/tty3 c 4 3

[root@node1 ~]# mknod -m 644$_DIR/dev/tty4 c 4 4

[root@node1 ~]# mknod -m 644$_DIR/dev/tty5 c 4 5

[root@node1 ~]# mknod -m 644$_DIR/dev/tty6 c 4 6

[root@node1 ~]# mknod -m 444$_DIR/dev/urandom c 1 9

[root@node1 ~]# mknod -m 666$_DIR/dev/zero c 1 5

[root@node1 ~]# mknod -m 666$_DIR/dev/null c 1 3

[root@node1 ~]# mknod -m 666$_DIR/dev/ptmx c 5 2

[root@node1 ~]# vim /etc/fstab

devpts /chroot/dev/pts

devpts

gid=5,mode=620 0 0

proc /chroot/proc proc defaults 0 0

[root@node1 ~]# cp /bin/bash/bin/false /bin/pwd /usr/sbin/sshd /bin/true $_DIR/bin/

可以用 ldd 命令查看每个可执行文件需要的 lib

[root@node1 lib]# ls $_DIR/lib

ld-linux.so.2 libfipscheck.so.1 libnspr4.so

libaudit.so.0 libgssapi_krb5.so.2 libnss3.so

libcom_err.so.2 libk5crypto.so.3 libnssutil3.so

libcrypto.so.6 libkeyutils.so.1 libpam.so.0

libcrypt.so.1 libkrb5.so.3 libplc4.so

libc.so.6 libkrb5support.so.0 libplds4.so

libdl.so.2 libnsl.so.1 libpthread.so.0

配置文件

libresolv.so.2

libselinux.so.1

libsepol.so.1

libtermcap.so.2

libutil.so.1

libwrap.so.0

libz.so.1

[root@node1 ~]# echo "$_USER

[root@node1 ~]# echo "session

[root@node1 ~]# echo "session

$_DIR">>/etc/security/chroot.conf

requiredpam_chroot.so" >>/etc/pam.d/sshd

required pam_chroot.so">>/etc/pam.d/login

[root@node1 ~]# grep"root:\|$_USER" /etc/passwd > $_DIR/etc/passwd

[root@node1 ~]# grep"root:\|$_USER" /etc/group > $_DIR/etc/group

[root@node1 ~]# chown -R root:root$_DIR

[root@node1 ~]# chown -R$_USER:$_USER $_DIR/home/$_USER

重新启动服务

[root@node1 ~]# service sshd restart

客户端测试

[root@Server250 ~]# [email protected]

[email protected]'s password:

-bash-3.2$ ls

-bash: ls: command not found

服务器查看 sshd 进程

[root@node1 ~]# ps -ef | grep sshd

root 101311 0 12:06 ?

root 10249 10131 0 12:21 ?

root 10287 10131 0 12:24 ?

test 10291 10287 0 12:24 ?

root 10296 10253 0 12:24 pts/0

00:00:00 /usr/sbin/sshd

00:00:00 sshd: root@pts/0

00:00:00 sshd: test [priv]

00:00:00 sshd: test@pts/1

00:00:00 grep sshd

[root@node1 ~]# ls -l/proc/10291/root

lrwxrwxrwx 1 root root 0 11-05 12:24/proc/10291/root -> /chroot

cp /bin/uname /chroot/bin/
cp /usr/bin/dirname /chroot/bin/
cp /bin/touch /chroot/bin/
cp /lib/tls/librt.so.1 /chroot/lib/tls
cp /usr/bin/tty/chroot/bin/