荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: cycker (TryToDoEverythingOnLinux), 信区: Linux
标 题: chroot login HOWTO
发信站: 荔园晨风BBS站 (Sun May 18 19:50:41 2003), 站内信件
Chroot login HOWTO
2001-08-29
Tony J. White <tjw@tjw.org>
Brian Rhodes <bgr@linespeed.net>
Intoduction
This HOWTO details creating accounts on a *nix operating system that are
chroot'ed to their home directory. That is, one this user logs in, they
will not be able to access any other part of the filesystem(s) other
than what lies in the account's home directory.
Warning: this document is pretty Linux-centric. I've never tried
doing this on a different operating system. Please let me know of
your success or failure in implementing something similar on other
operating systems and I will update the HOWTO accordingly.
Requirements
sudo
su
chroot
bash (other /bin/sh's have been reported to work)
Overview
When a login is attempted, this is the course of events:
login -> sudo(root) -> chroot $HOME su $USER
Essentially what this means is that when a log in is attempted, the
user is authenticated in the normal way. After successful authentication
, the login process passes the user to what it assumes is a shell, but
in fact, it will be passing the user to a sieries of programs that will
turn the user into root, chroot them into their directory, then turn
the user back into himself again.
Step-By-Step Process
1. Make a faux shell, I call it /bin/chroot-shell. Here is the
shell script I use:
#!/bin/bash
if [ "$1" = "-c" ]; then
i=0;
PARAMS="";
for param in $*; do
if [ $i -gt 0 ]; then
PARAMS="$PARAMS $param";
fi
let i++;
done;
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER -c "$PARAMS"
else
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
fi;
If you do not have bash, you can use this sh compatable chroot-shell:
#!/bin/sh
[ "$1" = "-c" ] && a="$*"
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER $a
(Thanks to Ben Okopnik for this more simplified and compatable
version of chroot-shell)
NOTE: This will not work if you need to run commands with
spaces in them on login (e.g. scp)
2. Add a user. Example:
useradd -d /tmp -s /bin/chroot-shell peon
This makes an entry in the /etc/passwd file like this:
peon:x:1004:1004::/tmp:/bin/chroot-shell
You should also set the password for the new account at this time:
passwd peon
3. Create a home directory.
mkdir /home/peon
mkdir /home/peon/etc
mkdir /home/peon/dev
mkdir /home/peon/bin
mkdir /home/peon/lib
mkdir /home/peon/usr
mkdir /home/peon/usr/bin
mkdir /home/peon/home
chown peon:peon /home/peon/home
4. Create a chroot passwd and group file
/home/peon/etc/passwd
root:x:0:0::/:/bin/bash
peon:x:1004:1004::/home:/bin/bash
/home/peon/etc/group
root:x:0:
peon:x:1004:
5. Install bash.
cp /bin/bash /home/peon/bin/
Unless you have a statically linked version of bash
(which is doubtful), you'll have to copy the required libraries
to /home/peon/lib. To find out what libraries are required, use ldd:
ldd /bin/bash
6. Install su.
cp /bin/su /home/peon/bin/
Unless you have a statically linked version of su (which is
doubtful), you'll have to copy the required libraries to /home/peon/lib.
To find out what libraries are required, use ldd:
ldd /bin/su
NOTE: at least with Slackware, for some reason the library
/lib/libnss_compat.so.2 is not listed as a required lib for su, but
it IS needed!
NOTE: If your su binary uses PAM for an authentication
mechanism, you may have to build a new su binary. This is the case
for RedHat. You can download sh-utils from
ftp://alpha.gnu.org/pub/gnu/shellutils/ Thanks to Pablo Pasqualino for
pointing this out.
NOTE: On RedHat 7.x systems, not only do you have to build a
new su binary but you must copy /lib/libnss_files.so.2 and
/lib/libnsl.so.1 (as well as /lib/libnss_compat.so.2) to the
chroot /lib directory even though they don't show up in 'ldd
su'. Thanks to Arnstein Ressem and others for figuring this out.
7. Install fileutils (optional)
(cd /bin; cp ln ls rm mv cp du /home/peon/bin/)
The same goes for libs if you don't want to compile
fileutils staticly, just use ldd <executable> to find out which
shared libs you need to copy to /home/peon/lib.
8. Install OpenSSH (optional)
cp /usr/bin/ssh /home/peon/usr/bin/
cp /usr/bin/scp /home/peon/usr/bin/
cp /usr/bin/env /home/peon/usr/bin/
The same goes for libs if you don't want to compile OpenSSH
staticly, just use ldd <executable> to find out which shared libs you
need to copy to /home/peon/lib.
Open SSH also needs a couple of devices to function properly
. Make them like this:
mknod -m 0666 /home/peon/dev/tty c 5 0
mknod -m 0644 /home/peon/dev/urandom c 1 9
9. Grant sudo access to the new account
If you are familiar with vi, I suggest just typing visudo.
If not, you'll have to find another way to edit /etc/sudoers.
Add a line like the following:
peon ALL= NOPASSWD: /usr/sbin/chroot /home/peon /bin/su - peon*
--
Welcome to CYCKER'S LINUX_SOFT FTPD ftp://192.168.36.220
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.36.220]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店