ssh+chroot+jailit锁定普通用户活动目录

下载地址

http://olivier.sessink.nl/jailkit/

================1、编译安装jailkit

[root@rac soft]# tar -zxvf jailkit-2.7.tar.gz 

[root@rac jailkit-2.7]# cd ..

[root@rac soft]# cd jailkit-2.7

[root@rac jailkit-2.7]# ls

configure     COPYRIGHT  extra  install-sh   Makefile.in  py          src

configure.ac  debian     ini    INSTALL.txt  man          README.txt

[root@rac jailkit-2.7]#

[root@rac jailkit-2.7]# ./configure 

[root@rac jailkit-2.7]# make;make install

===============2、初始化目录（会复制很多文件）

[root@rac jailkit-2.7]# mkdir /home/jail -p

[root@rac jailkit-2.7]# jk_init -v -j /home/jail basicshell editors extendedshell netbasics  ping netutils ssh sftp scp

。。。。。。

Copying /usr/lib/libpopt.so.0.0.0 to /home/jail/usr/lib/libpopt.so.0.0.0

Copying /usr/bin/smbclient to /home/jail/usr/bin/smbclient

/home/jail/lib/libnsl.so.1 already exists, will not touch it

Source file(s) /usr/lib/sftp-server do not exist

Source file(s) /usr/lib/misc/sftp-server do not exist

Source file(s) /usr/libexec/sftp-server do not exist

[root@rac jailkit-2.7]# cd /home/jail/

[root@rac jail]# ll 

total 20

drwxr-xr-x 2 root root 4096 Apr 27 18:02 bin

drwxr-xr-x 2 root root 4096 Apr 27 18:02 dev

drwxr-xr-x 2 root root 4096 Apr 27 18:02 etc

drwxr-xr-x 2 root root 4096 Apr 27 18:02 lib

drwxr-xr-x 6 root root 4096 Apr 27 18:02 usr

[root@rac jail]# 

[root@rac jail]# ls bin/

bash   cp    date  egrep  gawk    gzip  mkdir   mv   rmdir  sleep  touch

cat    cpio  dd    false  grep    ln    mktemp  pwd  sed    sync   true

chmod  cut   echo  fgrep  gunzip  ls    more    rm   sh     tar    zcat

[root@rac jail]# ls etc/

bashrc  host.conf  issue        ld.so.conf  nsswitch.conf  profile    resolv.conf

group   hosts      ld.so.cache  motd        passwd         protocols  vimrc

[root@rac jail]# ls usr/

bin  lib  libexec  share

[root@rac jail]# 

================3、配置jailkit

[root@rac jail]# cd /etc/jailkit/ 

[root@rac jailkit]# ls

jk_check.ini       jk_chrootsh.ini.dist  jk_lsh.ini       jk_socketd.ini.dist

jk_check.ini.dist  jk_init.ini           jk_lsh.ini.dist  jk_update.ini

jk_chrootsh.ini    jk_init.ini.dist      jk_socketd.ini   jk_update.ini.dist

[root@rac jailkit]# 

[root@rac jailkit]# cat /etc/jailkit/jk_init.ini 

[uidbasics]

# this section probably needs adjustment on 64bit systems

# or non-Linux systems

comment = common files for all jails that need user/group information

paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf

[netbasics]

comment = common files for all jails that need any internet connectivity

paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols

[logbasics]

comment = timezone information

paths = /etc/localtime

need_logsocket = 1

[jk_lsh]

comment = Jailkit limited shell

paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini

users = root

groups = root

need_logsocket = 1

includesections = uidbasics

[limitedshell]

comment = alias for jk_lsh

includesections = jk_lsh

[cvs]

comment = Concurrent Versions System

paths = /usr/bin/cvs

devices = /dev/null

[git]

comment = Fast Version Control System

paths = /usr/bin/git*, /usr/share/git-core

includesections = editors

[scp]

comment = ssh secure copy

paths = /usr/bin/scp

includesections = netbasics, uidbasics

devices = /dev/urandom

[sftp]

comment = ssh secure ftp

paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server

includesections = netbasics, uidbasics

devices = /dev/urandom, /dev/null

[ssh]

comment = ssh secure shell

paths = /usr/bin/ssh

includesections = netbasics, uidbasics

devices = /dev/urandom, /dev/tty, /dev/null

[rsync]

paths = /usr/bin/rsync

includesections = netbasics, uidbasics

[procmail]

comment = procmail mail delivery

paths = /usr/bin/procmail, /bin/sh

devices = /dev/null

[basicshell]

comment = bash based shell with several basic utilities

paths = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8

users = root

groups = root

includesections = uidbasics

[midnightcommander]

comment = Midnight Commander

paths = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview, /usr/share/mc

includesections = basicshell, terminfo

[extendedshell]

comment = bash shell including things like awk, bzip, tail, less

paths = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usb/bin/whoami

includesections = basicshell, midnightcommander, editors

[terminfo]

comment = terminfo databases, required for ncurses

paths = /etc/terminfo, /usr/share/terminfo

[editors]

comment = vim, joe and nano

includesections = terminfo

paths = /usr/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /etc/vimrc, /etc/joe, /usr/share/vim

[netutils]

comment = several internet utilities like wget, ftp, rsync, scp, ssh

paths = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient

includesections = netbasics, ssh, sftp, scp

[apacheutils]

comment = htpasswd utility

paths = /usr/bin/htpasswd

[extshellplusnet]

comment = alias for extendedshell + netutils + apacheutils

includesections = extendedshell, netutils, apacheutils

[open***]

comment = jail for the open*** daemon

paths = /usr/sbin/open***

users = root,nobody

groups = root,nogroup

includesections = netbasics

devices = /dev/urandom, /dev/random, /dev/net/tun

includesections = netbasics, uidbasics

need_logsocket = 1

[apache]

comment = the apache webserver, very basic setup, probably too limited for you

paths = /usr/sbin/apache

users = root, www-data

groups = root, www-data

includesections = netbasics, uidbasics

[perl]

comment = the perl interpreter and libraries

paths = /usr/bin/perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5

[xauth]

comment = getting X authentication to work

paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf

[xclients]

comment = minimal files for X clients

paths = /usr/X11R6/lib/X11/rgb.txt

includesections = xauth

[vncserver]

comment = the VNC server program

paths = /usr/bin/Xvnc, /usr/bin/Xrealvnc, /usr/X11R6/lib/X11/fonts/

includesections = xclients

#[xterm]

#comment = xterm

#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo

#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4

[root@rac jailkit]# 

------以sftp配置为例

[sftp]

comment = ssh secure ftp

paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server

includesections = netbasics, uidbasics

devices = /dev/urandom, /dev/null

------创建测试帐号和组

[root@rac home]# useradd -m chrootuser

----限制该帐号：

[root@rac chrootuser]# jk_jailuser -m -j /home/jail  chrootuser

invalid shell, /home/jail/usr/sbin/jk_lsh does not exist

enter jail directory: 

aborted.. 

[root@rac chrootuser]# which jk_lsh

/usr/sbin/jk_lsh

[root@rac chrootuser]# 

[root@rac chrootuser]# mkdir -p /home/jail/usr/sbin

[root@rac chrootuser]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin/

[root@rac chrootuser]# 

[root@rac chrootuser]# jk_jailuser -m -j /home/jail  chrootuser

[root@rac chrootuser]# grep chroot /etc/passwd

chrootuser:x:504:508::/home/jail/./home/chrootuser:/usr/sbin/jk_chrootsh

[root@rac chrootuser]# 

[root@rac chrootuser]# grep chroot /home/jail/etc/p

passwd     profile    protocols  

[root@rac chrootuser]# grep chroot /home/jail/etc/passwd 

chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh

[root@rac chrootuser]# 

[root@rac chrootuser]# cat /home/jail/etc/passwd            

root:x:0:0:root:/root:/bin/bash

chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh

[root@rac chrootuser]# 

[root@rac jail]# pwd

/home/jail

[root@rac jail]# ll

total 24

drwxr-xr-x 2 root root 4096 Apr 27 18:02 bin

drwxr-xr-x 2 root root 4096 Apr 27 18:02 dev

drwxr-xr-x 2 root root 4096 Apr 27 18:02 etc

drwxr-xr-x 3 root root 4096 Apr 27 18:12 home

drwxr-xr-x 2 root root 4096 Apr 27 18:02 lib

drwxr-xr-x 7 root root 4096 Apr 27 18:11 usr

[root@rac jail]# ll home

total 4

drwx------ 3 chrootuser chrootuser 4096 Apr 27 18:12 chrootuser

[root@rac jail]# 

----测试效果：

[root@rac home]# ssh  [email protected] 

[email protected]'s password: 

Last login: Tue Apr 27 18:19:41 2010 from 192.168.8.72

Connection to 192.168.8.72 closed.

[root@rac home]# 

---加上v参数查看原因

[root@rac home]# ssh -v [email protected]

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Next authentication method: gssapi-with-mic

debug1: An invalid name was supplied

Cannot determine realm for numeric host address

debug1: An invalid name was supplied

Cannot determine realm for numeric host address

debug1: An invalid name was supplied

Cannot determine realm for numeric host address

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Offering public key: /root/.ssh/id_rsa

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: password

[email protected]'s password: 

debug1: Authentication succeeded (password).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Last login: Tue Apr 27 18:20:49 2010 from 192.168.8.72

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: channel 0: free: client-session, nchannels 1

Connection to 192.168.8.72 closed.

debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 0.1 seconds

debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 327.1

debug1: Exit status 7

[root@rac home]# 

[root@rac home]# echo oracle|passwd --stdin chrootuser

Changing password for user chrootuser.

passwd: all authentication tokens updated successfully.

[root@rac home]# 

----解决：

[root@rac etc]# pwd

/home/jail/etc

[root@rac etc]# cat passwd 

root:x:0:0:root:/root:/bin/bash

chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh

[root@rac etc]# vi passwd 

[root@rac etc]# cat passwd 

root:x:0:0:root:/root:/bin/bash

#chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh

chrootuser:x:504:508::/home/chrootuser:/bin/bash

[root@rac etc]# 

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Offering public key: /root/.ssh/id_rsa

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: password

[email protected]'s password: 

debug1: Authentication succeeded (password).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

Last login: Tue Apr 27 18:24:49 2010 from 127.0.0.1

bash: id: command not found

bash: id: command not found

[chrootuser@rac ~]$ ls

[chrootuser@rac ~]$ pwd

/home/chrootuser

[chrootuser@rac ~]$ cd /

[chrootuser@rac /]$ ll

bash: ll: command not found

[chrootuser@rac /]$ ls

bin  dev  etc  home  lib  usr

[chrootuser@rac /]$ ls -l

total 24

drwxr-xr-x 2 root root 4096 Apr 27 10:02 bin

drwxr-xr-x 2 root root 4096 Apr 27 10:02 dev

drwxr-xr-x 2 root root 4096 Apr 27 10:24 etc

drwxr-xr-x 3 root root 4096 Apr 27 10:12 home

drwxr-xr-x 2 root root 4096 Apr 27 10:02 lib

drwxr-xr-x 7 root root 4096 Apr 27 10:11 usr

[chrootuser@rac /]$ cd /

[chrootuser@rac /]$ df -h

bash: df: command not found

[chrootuser@rac /]$ fdisk -l

bash: fdisk: command not found

[chrootuser@rac /]$ 

##############################################

wget -S wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.bz2

tar -jxvf jailkit-2.16.tar.bz2

cd jailkit-2.16

./configure --prefix=/usr/local/chroot

make

make install

ln -s /usr/local/chroot/sbin/* /usr/sbin/

cd /usr/local/chroot/bin/

初始化

jk_init -v -j /home/chroot basicshell editors extendedshell netbasics  ping netutils ssh sftp scp

添加账号

useradd chrootuser

passwd chrootuser

[root@promotion_db04 home]# grep chroot /etc/passwd

chrootuser:x:503:504::/home/chrootuser:/bin/bash

[root@promotion_db04 home]# 

[root@promotion_db04 bin]# jk_jailuser -v -m -s /bin/bash -j /home/chroot chrootuser   

adding user chrootuser to /home/chroot/etc/passwd with shell /bin/bash

adding group chrootuser to /home/chroot/etc/group

modify user chrootuser; dir /home/chroot/./home/chrootuser and shell /usr/sbin/jk_chrootsh

Create directory /home/chroot/home

Moving files from /home/chrootuser to /home/chroot/./home/chrootuser

Creating directory/home/chroot/./home/chrootuser

Copying /home/chrootuser/.bashrc to /home/chroot/./home/chrootuser/.bashrc

Copying /home/chrootuser/.bash_profile to /home/chroot/./home/chrootuser/.bash_profile

Copying /home/chrootuser/.bash_logout to /home/chroot/./home/chrootuser/.bash_logout

Creating directory/home/chroot/./home/chrootuser/.gnome2

Removing original home directory /home/chrootuser/.gnome2

Creating directory/home/chroot/./home/chrootuser/.mozilla

Creating directory/home/chroot/./home/chrootuser/.mozilla/extensions

Removing original home directory /home/chrootuser/.mozilla/extensions

Creating directory/home/chroot/./home/chrootuser/.mozilla/plugins

Removing original home directory /home/chrootuser/.mozilla/plugins

Removing original home directory /home/chrootuser/.mozilla

Removing original home directory /home/chrootuser

[root@promotion_db04 bin]# 

[root@promotion_db04 bin]# grep chroot /etc/passwd

chrootuser:x:503:504::/home/chroot/./home/chrootuser:/usr/sbin/jk_chrootsh

[root@promotion_db04 bin]# 

[root@promotion_db04 bin]# grep chroot /home/chroot/etc/passwd 

chrootuser:x:503:504::user:/bin/bash

[root@promotion_db04 bin]# 

模拟登陆报错

[root@user_db03 ~]# ssh -p60777 [email protected]

[email protected]'s password: 

Last login: Tue May 21 17:34:02 2013 from 10.10.10.44

Connection to 10.10.10.45 closed.

[root@user_db03 ~]# 

May 21 17:34:57 promotion_db04 jk_chrootsh[6032]: now entering jail /home/chroot for user chrootuser (503) with arguments 

May 21 17:34:57 promotion_db04 jk_chrootsh[6032]: abort, home directory /home/chrootuser differs from jail home directory user for user chrootuser (503), check /etc/passwd and /home/chroot/etc/pass

解决（后面测试问题是由于用户名最后包含了user单词也许是BUG）

[root@promotion_db04 bin]# cat /home/chroot/etc/passwd    

root:x:0:0:root:/root:/bin/bash

#chrootuser:x:503:504::user:/bin/bash

chrootuser:x:503:504::/home/chrootuser:/bin/bash

[root@promotion_db04 bin]# 

如果需要 ps  netstat命令查看进程信息 连接信息时

[usertest@promotion_db04 ~]$ ps -ef

Error, do this: mount -t proc none /proc

[usertest@promotion_db04 ~]$ 

 cp /bin/netstat /home/chroot/bin/

[usertest@promotion_db04 ~]$ netstat -ant 

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address               Foreign Address             State      

netstat: no support for `AF INET (tcp)' on this system.

[usertest@promotion_db04 ~]$ 

解决

[root@promotion_db04 home]# mkdir -p /home/chroot//proc

[root@promotion_db04 home]# mount --bind /proc /home/chroot/proc

[root@promotion_db04 home]# 

less 不能正常查看文件

[usertest@promotion_db04 ~]$ echo a >>a 

[usertest@promotion_db04 ~]$ echo b >>a 

[usertest@promotion_db04 ~]$ cat a 

a

b

[usertest@promotion_db04 ~]$ grep a

^C

[usertest@promotion_db04 ~]$ grep a a

a

[usertest@promotion_db04 ~]$ head a

a

b

[usertest@promotion_db04 ~]$ tail a

a

b

[usertest@promotion_db04 ~]$ less a

WARNING: terminal is not fully functional

a  (press RETURN)

b

[usertest@promotion_db04 ~]$ 

解决！！！

[usertest@promotion_db04 ~]$ export TERM=linux

[usertest@promotion_db04 ~]$ 

b

[usertest@promotion_db04 ~]$ less a

a

b

[usertest@promotion_db04 ~]$ 

永久解决办法 echo 'export TERM=linux' >>/home/chroot/etc/bashrc 

如果需要访问指定目录也可以使用mount --bind方式解决

/home/chroot/etc/bashrc  同时增加如下配置

alias rm='rm -i'

alias cp='cp -i'

alias mv='mv -i'

alias ll='ls -l --color=auto'