下载地址
http://olivier.sessink.nl/jailkit/
================1、编译安装jailkit
[root@rac soft]# tar -zxvf jailkit-2.7.tar.gz
[root@rac jailkit-2.7]# cd ..
[root@rac soft]# cd jailkit-2.7
[root@rac jailkit-2.7]# ls
configure COPYRIGHT extra install-sh Makefile.in py src
configure.ac debian ini INSTALL.txt man README.txt
[root@rac jailkit-2.7]#
[root@rac jailkit-2.7]# ./configure
[root@rac jailkit-2.7]# make;make install
===============2、初始化目录(会复制很多文件)
[root@rac jailkit-2.7]# mkdir /home/jail -p
[root@rac jailkit-2.7]# jk_init -v -j /home/jail basicshell editors extendedshell netbasics ping netutils ssh sftp scp
。。。。。。
Copying /usr/lib/libpopt.so.0.0.0 to /home/jail/usr/lib/libpopt.so.0.0.0
Copying /usr/bin/smbclient to /home/jail/usr/bin/smbclient
/home/jail/lib/libnsl.so.1 already exists, will not touch it
Source file(s) /usr/lib/sftp-server do not exist
Source file(s) /usr/lib/misc/sftp-server do not exist
Source file(s) /usr/libexec/sftp-server do not exist
[root@rac jailkit-2.7]# cd /home/jail/
[root@rac jail]# ll
total 20
drwxr-xr-x 2 root root 4096 Apr 27 18:02 bin
drwxr-xr-x 2 root root 4096 Apr 27 18:02 dev
drwxr-xr-x 2 root root 4096 Apr 27 18:02 etc
drwxr-xr-x 2 root root 4096 Apr 27 18:02 lib
drwxr-xr-x 6 root root 4096 Apr 27 18:02 usr
[root@rac jail]#
[root@rac jail]# ls bin/
bash cp date egrep gawk gzip mkdir mv rmdir sleep touch
cat cpio dd false grep ln mktemp pwd sed sync true
chmod cut echo fgrep gunzip ls more rm sh tar zcat
[root@rac jail]# ls etc/
bashrc host.conf issue ld.so.conf nsswitch.conf profile resolv.conf
group hosts ld.so.cache motd passwd protocols vimrc
[root@rac jail]# ls usr/
bin lib libexec share
[root@rac jail]#
================3、配置jailkit
[root@rac jail]# cd /etc/jailkit/
[root@rac jailkit]# ls
jk_check.ini jk_chrootsh.ini.dist jk_lsh.ini jk_socketd.ini.dist
jk_check.ini.dist jk_init.ini jk_lsh.ini.dist jk_update.ini
jk_chrootsh.ini jk_init.ini.dist jk_socketd.ini jk_update.ini.dist
[root@rac jailkit]#
[root@rac jailkit]# cat /etc/jailkit/jk_init.ini
[uidbasics]
# this section probably needs adjustment on 64bit systems
# or non-Linux systems
comment = common files for all jails that need user/group information
paths = /lib/libnsl.so.1, /lib64/libnsl.so.1, /lib/libnss*.so.2, /lib64/libnss*.so.2, /etc/nsswitch.conf, /etc/ld.so.conf
[netbasics]
comment = common files for all jails that need any internet connectivity
paths = /lib/libnss_dns.so.2, /lib64/libnss_dns.so.2, /etc/resolv.conf, /etc/host.conf, /etc/hosts, /etc/protocols
[logbasics]
comment = timezone information
paths = /etc/localtime
need_logsocket = 1
[jk_lsh]
comment = Jailkit limited shell
paths = /usr/sbin/jk_lsh, /etc/jailkit/jk_lsh.ini
users = root
groups = root
need_logsocket = 1
includesections = uidbasics
[limitedshell]
comment = alias for jk_lsh
includesections = jk_lsh
[cvs]
comment = Concurrent Versions System
paths = /usr/bin/cvs
devices = /dev/null
[git]
comment = Fast Version Control System
paths = /usr/bin/git*, /usr/share/git-core
includesections = editors
[scp]
comment = ssh secure copy
paths = /usr/bin/scp
includesections = netbasics, uidbasics
devices = /dev/urandom
[sftp]
comment = ssh secure ftp
paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
[ssh]
comment = ssh secure shell
paths = /usr/bin/ssh
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/tty, /dev/null
[rsync]
paths = /usr/bin/rsync
includesections = netbasics, uidbasics
[procmail]
comment = procmail mail delivery
paths = /usr/bin/procmail, /bin/sh
devices = /dev/null
[basicshell]
comment = bash based shell with several basic utilities
paths = /bin/sh, /bin/bash, /bin/ls, /bin/cat, /bin/chmod, /bin/mkdir, /bin/cp, /bin/cpio, /bin/date, /bin/dd, /bin/echo, /bin/egrep, /bin/false, /bin/fgrep, /bin/grep, /bin/gunzip, /bin/gzip, /bin/ln, /bin/ls, /bin/mkdir, /bin/mktemp, /bin/more, /bin/mv, /bin/pwd, /bin/rm, /bin/rmdir, /bin/sed, /bin/sh, /bin/sleep, /bin/sync, /bin/tar, /bin/touch, /bin/true, /bin/uncompress, /bin/zcat, /etc/motd, /etc/issue, /etc/bash.bashrc, /etc/bashrc, /etc/profile, /usr/lib/locale/en_US.utf8
users = root
groups = root
includesections = uidbasics
[midnightcommander]
comment = Midnight Commander
paths = /usr/bin/mc, /usr/bin/mcedit, /usr/bin/mcview, /usr/share/mc
includesections = basicshell, terminfo
[extendedshell]
comment = bash shell including things like awk, bzip, tail, less
paths = /usr/bin/awk, /usr/bin/bzip2, /usr/bin/bunzip2, /usr/bin/ldd, /usr/bin/less, /usr/bin/clear, /usr/bin/cut, /usr/bin/du, /usr/bin/find, /usr/bin/head, /usr/bin/less, /usr/bin/md5sum, /usr/bin/nice, /usr/bin/sort, /usr/bin/tac, /usr/bin/tail, /usr/bin/tr, /usr/bin/sort, /usr/bin/wc, /usr/bin/watch, /usb/bin/whoami
includesections = basicshell, midnightcommander, editors
[terminfo]
comment = terminfo databases, required for ncurses
paths = /etc/terminfo, /usr/share/terminfo
[editors]
comment = vim, joe and nano
includesections = terminfo
paths = /usr/bin/joe, /usr/bin/nano, /usr/bin/vi, /usr/bin/vim, /etc/vimrc, /etc/joe, /usr/share/vim
[netutils]
comment = several internet utilities like wget, ftp, rsync, scp, ssh
paths = /usr/bin/wget, /usr/bin/lynx, /usr/bin/ftp, /usr/bin/host, /usr/bin/rsync, /usr/bin/smbclient
includesections = netbasics, ssh, sftp, scp
[apacheutils]
comment = htpasswd utility
paths = /usr/bin/htpasswd
[extshellplusnet]
comment = alias for extendedshell + netutils + apacheutils
includesections = extendedshell, netutils, apacheutils
[open***]
comment = jail for the open*** daemon
paths = /usr/sbin/open***
users = root,nobody
groups = root,nogroup
includesections = netbasics
devices = /dev/urandom, /dev/random, /dev/net/tun
includesections = netbasics, uidbasics
need_logsocket = 1
[apache]
comment = the apache webserver, very basic setup, probably too limited for you
paths = /usr/sbin/apache
users = root, www-data
groups = root, www-data
includesections = netbasics, uidbasics
[perl]
comment = the perl interpreter and libraries
paths = /usr/bin/perl, /usr/lib/perl, /usr/lib/perl5, /usr/share/perl, /usr/share/perl5
[xauth]
comment = getting X authentication to work
paths = /usr/bin/X11/xauth, /usr/X11R6/lib/X11/rgb.txt, /etc/ld.so.conf
[xclients]
comment = minimal files for X clients
paths = /usr/X11R6/lib/X11/rgb.txt
includesections = xauth
[vncserver]
comment = the VNC server program
paths = /usr/bin/Xvnc, /usr/bin/Xrealvnc, /usr/X11R6/lib/X11/fonts/
includesections = xclients
#[xterm]
#comment = xterm
#paths = /usr/bin/X11/xterm, /usr/share/terminfo, /etc/terminfo
#devices = /dev/pts/0, /dev/pts/1, /dev/pts/2, /dev/pts/3, /dev/pts/4, /dev/ptyb4, /dev/ptya4, /dev/tty, /dev/tty0, /dev/tty4
[root@rac jailkit]#
------以sftp配置为例
[sftp]
comment = ssh secure ftp
paths = /usr/lib/sftp-server, /usr/libexec/openssh/sftp-server, /usr/lib/misc/sftp-server, /usr/libexec/sftp-server
includesections = netbasics, uidbasics
devices = /dev/urandom, /dev/null
------创建测试帐号和组
[root@rac home]# useradd -m chrootuser
----限制该帐号:
[root@rac chrootuser]# jk_jailuser -m -j /home/jail chrootuser
invalid shell, /home/jail/usr/sbin/jk_lsh does not exist
enter jail directory:
aborted..
[root@rac chrootuser]# which jk_lsh
/usr/sbin/jk_lsh
[root@rac chrootuser]#
[root@rac chrootuser]# mkdir -p /home/jail/usr/sbin
[root@rac chrootuser]# cp /usr/sbin/jk_lsh /home/jail/usr/sbin/
[root@rac chrootuser]#
[root@rac chrootuser]# jk_jailuser -m -j /home/jail chrootuser
[root@rac chrootuser]# grep chroot /etc/passwd
chrootuser:x:504:508::/home/jail/./home/chrootuser:/usr/sbin/jk_chrootsh
[root@rac chrootuser]#
[root@rac chrootuser]# grep chroot /home/jail/etc/p
passwd profile protocols
[root@rac chrootuser]# grep chroot /home/jail/etc/passwd
chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh
[root@rac chrootuser]#
[root@rac chrootuser]# cat /home/jail/etc/passwd
root:x:0:0:root:/root:/bin/bash
chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh
[root@rac chrootuser]#
[root@rac jail]# pwd
/home/jail
[root@rac jail]# ll
total 24
drwxr-xr-x 2 root root 4096 Apr 27 18:02 bin
drwxr-xr-x 2 root root 4096 Apr 27 18:02 dev
drwxr-xr-x 2 root root 4096 Apr 27 18:02 etc
drwxr-xr-x 3 root root 4096 Apr 27 18:12 home
drwxr-xr-x 2 root root 4096 Apr 27 18:02 lib
drwxr-xr-x 7 root root 4096 Apr 27 18:11 usr
[root@rac jail]# ll home
total 4
drwx------ 3 chrootuser chrootuser 4096 Apr 27 18:12 chrootuser
[root@rac jail]#
----测试效果:
[root@rac home]# ssh [email protected]
[email protected]'s password:
Last login: Tue Apr 27 18:19:41 2010 from 192.168.8.72
Connection to 192.168.8.72 closed.
[root@rac home]#
---加上v参数查看原因
[root@rac home]# ssh -v [email protected]
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Apr 27 18:20:49 2010 from 192.168.8.72
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.8.72 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 327.1
debug1: Exit status 7
[root@rac home]#
[root@rac home]# echo oracle|passwd --stdin chrootuser
Changing password for user chrootuser.
passwd: all authentication tokens updated successfully.
[root@rac home]#
----解决:
[root@rac etc]# pwd
/home/jail/etc
[root@rac etc]# cat passwd
root:x:0:0:root:/root:/bin/bash
chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh
[root@rac etc]# vi passwd
[root@rac etc]# cat passwd
root:x:0:0:root:/root:/bin/bash
#chrootuser:x:504:508::/home/chrootuser:/usr/sbin/jk_lsh
chrootuser:x:504:508::/home/chrootuser:/bin/bash
[root@rac etc]#
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Apr 27 18:24:49 2010 from 127.0.0.1
bash: id: command not found
bash: id: command not found
[chrootuser@rac ~]$ ls
[chrootuser@rac ~]$ pwd
/home/chrootuser
[chrootuser@rac ~]$ cd /
[chrootuser@rac /]$ ll
bash: ll: command not found
[chrootuser@rac /]$ ls
bin dev etc home lib usr
[chrootuser@rac /]$ ls -l
total 24
drwxr-xr-x 2 root root 4096 Apr 27 10:02 bin
drwxr-xr-x 2 root root 4096 Apr 27 10:02 dev
drwxr-xr-x 2 root root 4096 Apr 27 10:24 etc
drwxr-xr-x 3 root root 4096 Apr 27 10:12 home
drwxr-xr-x 2 root root 4096 Apr 27 10:02 lib
drwxr-xr-x 7 root root 4096 Apr 27 10:11 usr
[chrootuser@rac /]$ cd /
[chrootuser@rac /]$ df -h
bash: df: command not found
[chrootuser@rac /]$ fdisk -l
bash: fdisk: command not found
[chrootuser@rac /]$
##############################################
wget -S wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.bz2
tar -jxvf jailkit-2.16.tar.bz2
cd jailkit-2.16
./configure --prefix=/usr/local/chroot
make
make install
ln -s /usr/local/chroot/sbin/* /usr/sbin/
cd /usr/local/chroot/bin/
初始化
jk_init -v -j /home/chroot basicshell editors extendedshell netbasics ping netutils ssh sftp scp
添加账号
useradd chrootuser
passwd chrootuser
[root@promotion_db04 home]# grep chroot /etc/passwd
chrootuser:x:503:504::/home/chrootuser:/bin/bash
[root@promotion_db04 home]#
[root@promotion_db04 bin]# jk_jailuser -v -m -s /bin/bash -j /home/chroot chrootuser
adding user chrootuser to /home/chroot/etc/passwd with shell /bin/bash
adding group chrootuser to /home/chroot/etc/group
modify user chrootuser; dir /home/chroot/./home/chrootuser and shell /usr/sbin/jk_chrootsh
Create directory /home/chroot/home
Moving files from /home/chrootuser to /home/chroot/./home/chrootuser
Creating directory/home/chroot/./home/chrootuser
Copying /home/chrootuser/.bashrc to /home/chroot/./home/chrootuser/.bashrc
Copying /home/chrootuser/.bash_profile to /home/chroot/./home/chrootuser/.bash_profile
Copying /home/chrootuser/.bash_logout to /home/chroot/./home/chrootuser/.bash_logout
Creating directory/home/chroot/./home/chrootuser/.gnome2
Removing original home directory /home/chrootuser/.gnome2
Creating directory/home/chroot/./home/chrootuser/.mozilla
Creating directory/home/chroot/./home/chrootuser/.mozilla/extensions
Removing original home directory /home/chrootuser/.mozilla/extensions
Creating directory/home/chroot/./home/chrootuser/.mozilla/plugins
Removing original home directory /home/chrootuser/.mozilla/plugins
Removing original home directory /home/chrootuser/.mozilla
Removing original home directory /home/chrootuser
[root@promotion_db04 bin]#
[root@promotion_db04 bin]# grep chroot /etc/passwd
chrootuser:x:503:504::/home/chroot/./home/chrootuser:/usr/sbin/jk_chrootsh
[root@promotion_db04 bin]#
[root@promotion_db04 bin]# grep chroot /home/chroot/etc/passwd
chrootuser:x:503:504::user:/bin/bash
[root@promotion_db04 bin]#
模拟登陆报错
[root@user_db03 ~]# ssh -p60777 [email protected]
[email protected]'s password:
Last login: Tue May 21 17:34:02 2013 from 10.10.10.44
Connection to 10.10.10.45 closed.
[root@user_db03 ~]#
May 21 17:34:57 promotion_db04 jk_chrootsh[6032]: now entering jail /home/chroot for user chrootuser (503) with arguments
May 21 17:34:57 promotion_db04 jk_chrootsh[6032]: abort, home directory /home/chrootuser differs from jail home directory user for user chrootuser (503), check /etc/passwd and /home/chroot/etc/pass
解决(后面测试问题是由于用户名最后包含了user单词也许是BUG)
[root@promotion_db04 bin]# cat /home/chroot/etc/passwd
root:x:0:0:root:/root:/bin/bash
#chrootuser:x:503:504::user:/bin/bash
chrootuser:x:503:504::/home/chrootuser:/bin/bash
[root@promotion_db04 bin]#
如果需要 ps netstat命令查看进程信息 连接信息时
[usertest@promotion_db04 ~]$ ps -ef
Error, do this: mount -t proc none /proc
[usertest@promotion_db04 ~]$
cp /bin/netstat /home/chroot/bin/
[usertest@promotion_db04 ~]$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
netstat: no support for `AF INET (tcp)' on this system.
[usertest@promotion_db04 ~]$
解决
[root@promotion_db04 home]# mkdir -p /home/chroot//proc
[root@promotion_db04 home]# mount --bind /proc /home/chroot/proc
[root@promotion_db04 home]#
less 不能正常查看文件
[usertest@promotion_db04 ~]$ echo a >>a
[usertest@promotion_db04 ~]$ echo b >>a
[usertest@promotion_db04 ~]$ cat a
a
b
[usertest@promotion_db04 ~]$ grep a
^C
[usertest@promotion_db04 ~]$ grep a a
a
[usertest@promotion_db04 ~]$ head a
a
b
[usertest@promotion_db04 ~]$ tail a
a
b
[usertest@promotion_db04 ~]$ less a
WARNING: terminal is not fully functional
a (press RETURN)
b
[usertest@promotion_db04 ~]$
解决!!!
[usertest@promotion_db04 ~]$ export TERM=linux
[usertest@promotion_db04 ~]$
b
[usertest@promotion_db04 ~]$ less a
a
b
[usertest@promotion_db04 ~]$
永久解决办法 echo 'export TERM=linux' >>/home/chroot/etc/bashrc
如果需要访问指定目录也可以使用mount --bind方式解决
/home/chroot/etc/bashrc 同时增加如下配置
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ll='ls -l --color=auto'