由于工作需求,需要在Linux上建立SSH、MySQL两个用户。
使这两个账户连接到跳板机后仅能执行有限的命令(SSH用户只能执行SSH命令,MySQL用户只能执行MySQL命令)。
MySQL账户Chroot效果:
SSH账户Chroot效果:
步骤
编辑system-auth-ac文件并添加:
vi /etc/pam.d/system-auth-ac session required pam_chroot.so debug session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
编辑chroot配置文件并添加:
vi /etc/security/chroot.conf mysql /home/chroot-mysql ssh /home/chroot-ssh
编辑sshd文件并添加:
vi /etc/pam.d/sshd session required pam_chroot.so
修改脚本以适应自己环境,修改后保存为chroot.sh 并sh chroot.sh 执行该脚本。
#!/bin/bash
#
# Author: Pravin Rane
#
# This script creates chroot env. Change CHROOT variable as per your requirement
# Tested on RHEL5, CentOS5, Fedora5
CHROOT="/home/chroot"
echo "chroot is $CHROOT"
echo "Creating directory sturcture"
mkdir $CHROOT
cd $CHROOT
mkdir home
mkdir etc
mkdir etc/security
mkdir bin
mkdir lib
mkdir usr
mkdir usr/bin
mkdir usr/share
mkdir usr/share/locale
mkdir var
mkdir var/log
mkdir proc
mkdir dev
mkdir dev/pts
mkdir -p usr/lib/locale/
mknod dev/null c 1 3
mknod dev/zero c 1 5
mknod dev/random c 1 8
mknod -m 0444 dev/urandom c 1 9
mknod dev/tty c 5 0
chown root.tty dev/tty
chmod 666 dev/tty
mknod dev/ptmx c 5 2
# Copy basic files
echo "Copying config files"
cp -pr /etc/skel /etc/environment /etc/passwd /etc/group /etc/localtime $CHROOT/etc/
cp -p /etc/security/console.handlers /etc/security/pam_env.conf $CHROOT/etc/security/
cp -p /var/log/lastlog $CHROOT/var/log/
cp -pr /usr/share/locale/en /usr/share/locale/en_US /usr/share/locale/locale.alias $CHROOT/usr/share/locale
cp -pr /usr/share/locale/zh_CN /usr/share/locale/zh /usr/share/locale/zh_CN.GB2312 $CHROOT/usr/share/locale
cp -pr /usr/share/i18n $CHROOT/usr/share
cp -pr /usr/lib/locale/locale-archive $CHROOT/usr/lib/locale
#COMMANDS="/bin/bash /usr/bin/mysql /usr/bin/ssh" #可根据实际需求增删命令
COMMANDS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/mysql"
for prog in $COMMANDS; do
cp $prog ./$prog
# obtain a list of related libraries
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'|grep -v 0x`
for l in $LIBS; do
mkdir -p ./`dirname $l` > /dev/null 2>&1
cp -p $l ./$l
done
fi
done
# For ssh You don't exist, go away
cp -pr /lib64/libnss_* $CHROOT/lib64/
if [ $? -eq 0 ]; then
echo ".."
echo "Chroot is successfully created at $CHROOT"
echo "1. Mount proc and devpts now using following commands"
echo "mount proc $CHROOT/proc -t proc"
echo "mount devpts $CHROOT/dev/pts -t devpts -o gid=5,mode=620"
echo ""
echo "2. Do the changes in syslogd as mentioned in script and restart it."
echo "Your syslogd's extra socket should be at $CHROOT/dev/log"
echo ""
echo "As a root run command "chroot $CHROOT" to test your setup"
fi
若使用chroot /home/$CHROOT 命令提示不存在XX目录则需拷贝相关库文件。
搜索缺失的库:
for i in `ldd /bin/bash`;do echo $i;done |grep -v = |grep -v 0x |grep /|xargs ls -l
将缺失的库文件拷贝到chroot对应lib文件夹里
示例
保存为1.sh 用sh 1.sh命令运行
cp -av /lib64/ld-linux-x86-64.so.2 /home/chroot-mysql/lib64 cp -av /lib64/ld-2.12.so /home/chroot-mysql/lib64 cp -av /lib64/libc.so.6 /home/chroot-mysql/lib64 cp -av /lib64/libc-2.12.so /home/chroot-mysql/lib64 cp -av /lib64/libdl.so.2 /home/chroot-mysql/lib64 cp -av /lib64/libdl-2.12.so /home/chroot-mysql/lib64 cp -av /lib64/libtinfo.so.5 /home/chroot-mysql/lib64 cp -av /lib64/libtinfo.so.5.7 /home/chroot-mysql/lib64
保存为1.sh 用sh 2.sh命令运行
cp -av /lib64/ld-linux-x86-64.so.2 /home/chroot-ssh/lib64 cp -av /lib64/ld-2.12.so /home/chroot-ssh/lib64 cp -av /lib64/libc.so.6 /home/chroot-ssh/lib64 cp -av /lib64/libc-2.12.so /home/chroot-ssh/lib64 cp -av /lib64/libdl.so.2 /home/chroot-ssh/lib64 cp -av /lib64/libdl-2.12.so /home/chroot-ssh/lib64 cp -av /lib64/libtinfo.so.5 /home/chroot-ssh/lib64 cp -av /lib64/libtinfo.so.5.7 /home/chroot-ssh/lib64
执行完脚本需挂载
mount proc /home/chroot/proc -t proc mount devpts /home/chroot/dev/pts -t devpts -o gid=5,mode=620""
在新的chroot目录下的home下创建空的用户名目录 (没有此目录会报错)
cd /home/chroot-mysql/home mkdir mysql cd /home/chroot-ssh/home mkdir ssh
添加中文支持
mkdir -p usr/lib/locale/ cp -pr /usr/lib/locale/locale-archive $CHROOT/usr/lib/locale
将chroot-ssh下的.bash_profile文件内添加
LANG=zh_CN.UTF-8