Автор Тема: user в chroot jail  (Прочетена 960 пъти)

Pulear

  • Напреднали
  • *****
  • Публикации: 72
    • Профил
user в chroot jail
« -: Feb 27, 2006, 21:22 »
здравейте.
Проблема е следния искам да сложа личния си потребител,просто за да знам как става, в chroot jail.
Целта ми е потребителя да може да си ползва основните програми които са му нужни, но да не може да напуска home директорията си за целта ползвам ето този скрипт.
Примерен код

#!/bin/sh
#
# (c) Copyright by Wolfgang Fuschlberger
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#    ( http://www.fsf.org/licenses/gpl.txt )

# first Release: 2004-07-30
# latest update: 2006-02-19
#
# The latest version of the script is available at
#   http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/
#
# Feedback is welcome!
#
# Thanks for Bugfixes / Enhancements to
# Michael Prokop <http://www.michael-prokop.at/chroot/>,
# Randy K., Randy D. and Jonathan Hunter.

#
# Features:
# - enable scp and sftp in the chroot-jail
# - use one directory (default /home/jail/) as chroot for all users
################################################################################

# Specify the apps you want to copy to the jail
APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd /usr/libexec/openssh/sftp-server "

# Check if we are called with username or update
if [ -z "$1" ]; then
  echo
  echo "Error: Parameter missing"
  echo
  echo "Creating new chrooted account:"
  echo "Usage: $0 username"
  echo
  echo "or specify \$SHELL and path where the jail should be located:"
  echo "Usage: $0 username [/path/to/chroot-shell [/path/to/jail]]"
  echo "Default shell       = /bin/chroot-shell"
  echo "Default chroot-path = /home/jail"
  echo
  echo "Updating files in the chroot-jail:"
  echo "Usage: $0 update [/path/to/chroot-shell [/path/to/jail]]"
  echo
  echo "To uninstall: # userdel \$USER"
  echo "              # rm -rf /home/jail"
  echo "              # rm -f /bin/chroot-shell"
  echo "              delete the User's line from /etc/sudoers"
  exit
fi

# Check existence of necessary files
echo -n "Checking for chroot... "
if [ `which chroot` ];
  then echo "OK";
  else echo "failed
Please install chroot-package/binary!
"
exit 1
fi

echo -n "Checking for sudo..... "
if [ `which sudo` ];
  then echo "OK";
  else echo "failed
Please install sudo-package/binary!
"
exit 1
fi

# Get accountname to create
CHROOT_USERNAME=$1

if ! [ -z "$2" ]; then
  SHELL=$2
else
  SHELL=/bin/chroot-shell
fi

if ! [ -z "$3" ]; then
  JAILPATH=$3
else
  JAILPATH=/home/jail
fi

# Exit if user already exists
id $CHROOT_USERNAME > /dev/null 2>&1 && { echo "User exists."; echo "Exiting."; exit 1; }

# Create $SHELL (shell for jailed accounts)
echo "Creating $SHELL"
echo '#!/bin/sh' > $SHELL
echo "`which sudo` `which chroot` $JAILPATH /bin/su - \$USER" \"\$@\" >> $SHELL
chmod 755 $SHELL

# make common jail for everybody if inexistent
if [ ! -d $JAILPATH ]; then
  mkdir -p $JAILPATH
  echo "Creating $JAILPATH"
fi
cd $JAILPATH

# Create directories in jail that do not exist yet
JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin"
for directory in $JAILDIRS; do
  if [ ! -d "$JAILPATH/$directory" ]; then
    mkdir $JAILPATH/"$directory"
    echo "Creating $JAILPATH/$directory"
  fi
done
echo

# Comment in the following lines if your apache can't read the directories and
# uses the security contexts
# Fix security contexts so Apache can read files
#CHCON=$(`which chcon`)
#if [ -n "$CHCON" ] && [ -x $CHCON ]; then
#    $CHCON -t home_root_t $JAILPATH/home
#    $CHCON -t user_home_dir_t $JAILPATH/home/$CHROOT_USERNAME
#fi

# Creating necessary devices
[ -r $JAILPATH/dev/urandom ] || mknod $JAILPATH/dev/urandom c 1 9
[ -r $JAILPATH/dev/null ]    || mknod $JAILPATH/dev/null    c 1 3
[ -r $JAILPATH/dev/zero ]    || mknod $JAILPATH/dev/zero    c 1 5
[ -r $JAILPATH/dev/tty ]     || mknod $JAILPATH/dev/tty     c 5 0 && chmod 666 $JAILPATH/dev/tty

# if we only want to update the files in the jail
# skip the creation of the new account
if [ "$1" != "update" ]; then

# Modifiy /etc/sudoers to enable chroot-ing for users
# must be removed by hand if account is deleted
echo "Modifying /etc/sudoers"
echo "$CHROOT_USERNAME       ALL=NOPASSWD: `which chroot`, /bin/su - $CHROOT_USERNAME" >> /etc/sudoers

# Define HomeDir for simple referencing
HOMEDIR="$JAILPATH/home/$CHROOT_USERNAME"

# Create new account, setting $SHELL to the above created script and
# $HOME to $JAILPATH/home/*
echo "Adding User \"$CHROOT_USERNAME\" to system"
useradd -m -d "$HOMEDIR" -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR"
# Enter password for new account
passwd $CHROOT_USERNAME
echo

# Create /usr/bin/groups in the jail
echo "#!/bin/bash" > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
chmod 755 usr/bin/groups

# Add users to etc/passwd
#
# check if file exists (ie we are not called for the first time)
# if yes skip root's entry and do not overwrite the file
if [ ! -f etc/passwd ]; then
 grep /etc/passwd -e "^root" > etc/passwd
fi
if [ ! -f etc/group ]; then
 grep /etc/group -e "^root" > etc/group
# add the group for all users to etc/group (otherwise there is a nasty error
# message and probably because of that changing directories doesn't work with
# winSCP)
 grep /etc/group -e "^users" > etc/group
fi

# grep the username which was given to us from /etc/passwd and add it
# to ./etc/passwd replacing the $HOME with the directory as it will then
# appear in the jail
echo "Adding User $CHROOT_USERNAME to jail"
grep -e "^$CHROOT_USERNAME:" /etc/passwd | \
 sed -e "s#$JAILPATH##"      \
     -e "s#$SHELL#/bin/bash#"  >> etc/passwd

# if the system uses one account/one group we write the
# account's group to etc/group
grep -e "^$CHROOT_USERNAME:" /etc/group >> etc/group

# write the user's line from /etc/shadow to /home/jail/etc/shadow
grep -e "^$CHROOT_USERNAME:" /etc/shadow >> etc/shadow

# endif for =! update
fi

# Copy the apps and the related libs
echo "Copying necessary library-files to jail (may take some time)"

# The original code worked fine on RedHat 7.3, but did not on FC3.
# On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that
# points to nothing (or a 90xb.....), and it also does not pick up
# some files that start with a '/'. To fix this, I am doing the ldd
# to a file called ldlist, then going back into the file and pulling
# out the libs that start with '/'
#
# Randy K.
#
if [ -x /root/ldlist ]; then
   mv /root/ldlist /root/ldlist.bak
fi

for app in $APPS;  do

    # First of all, check that this application exists
    if [ -x $app ]; then
        # Check that the directory exists; create it if not.
        app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'`
        if ! [ -d .$app_path ]; then
            mkdir -p .$app_path
        fi

        cp -p $app .$app

        # get list of necessary libraries
        ldd $app >> /root/ldlist
    fi
done

# Clear out any old temporary file before we start
if [ -e /root/ldlist2 ]; then
    rm /root/ldlist2
fi
for libs in `cat /root/ldlist`; do
   frst_char="`echo $libs | cut -c1`"
   if [ "$frst_char" = "/" ]; then
     echo "$libs" >> /root/ldlist2
   fi
done
for lib in `cat /root/ldlist2`; do
            mkdir -p .`dirname $lib` > /dev/null 2>&1
            cp $lib .$lib
done

#
# Now, cleanup the 2 files we created for the library list
#
/bin/rm -f /root/ldlist
/bin/rm -f /root/ldlist2

# Necessary files that are not listed by ldd
cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 ./lib/

# if you are using PAM you need stuff from /etc/pam.d/ in the jail,
echo "Copying files from /etc/pam.d/ to jail"
cp /etc/pam.d/* ./etc/pam.d/

# ...and of course the PAM-modules...
echo "Copying PAM-Modules to jail"
cp -r /lib/security ./lib/

# ...and something else useful for PAM
#echo "Copying /etc/security to jail"
cp -r /etc/security ./etc/
cp /etc/login.defs ./etc/


Но както може би се досещата имам  проблем.
След като испълня скрипта ./make_chroot_jail.sh potrebitel /bin/bash /home/jail/potrebitel
всичко би трябвало да е наред но след това с тоя user мога да си се разхождам на всякъде което не би трябвало да става.
Ще се радвам ако някой помогне.
Дистрибуция Дебиан
Поздрави.
Активен

Shift to the left!
Shift to the right!
Pop up,Push down,
BYTE,BYTE,BYTE.

Agent_SMITH

  • Administrator
  • Напреднали
  • *****
  • Публикации: 3082
  • matrix kernel module
    • Профил
user в chroot jail
« Отговор #1 -: Feb 28, 2006, 09:40 »
Местя темата в секция за напреднали. Струва ми се тук ще получиш повече отговори '<img'>
Активен

-= СПАЗВАЙТЕ ПРАВИЛАТА НА ФОРУМА =-