說明:chroot--change root(改變角色),例如apache服務,這個服務是直接安裝到了根目錄下面的所以當ps後看進程信息的時候後面的路徑是以系統的“根”開始找的。如果想搭建起來這個chroot的環境,需要工具--jail.tar.gz,jail(監獄)也就是把自己想讓服務更安全,那麼就把服務扔到監獄中去運行,黑客入侵了也只能在監獄中控制,不能跳出監獄進行別的控制。本文介紹的可能有些長,請看詳細步驟!
1 安裝jail並構建監獄環境 [root@rrd ~]# useradd -g users -d /var/chroot/ -s /usr/bin/jail prisoner
[root@rrd ~]# tail /etc/passwd
prisoner:x:501:100::/var/chroot/:/usr/bin/jail
[root@rrd ~]# wget http://www.jmcresearch.com/static/dwn/projects/jail/jail.tar.gz
[root@rrd ~]# tar zxf jail.tar.gz
[root@rrd ~]# cd jail/bin
[root@rrd bin]# ll
total 20
-rwxr-xr-x 1 1002 1002 4726 Apr 2 2004 addjailsw
-rwxr-xr-x 1 1002 1002 2578 Apr 2 2004 addjailuser
drwxr-xr-x 2 1002 1002 4096 Apr 2 2004 CVS
-rwxr-xr-x 1 1002 1002 2750 Apr 2 2004 mkjailenv
[root@rrd bin]# cd ..
[root@rrd jail]# cd src/
[root@rrd src]# ll
total 68
drwxr-xr-x 2 1002 1002 4096 Apr 2 2004 CVS
-rw-r--r-- 1 1002 1002 5893 Apr 2 2004 generic_helpers.c
-rw-r--r-- 1 1002 1002 1478 Apr 2 2004 generic_helpers.h
-rw-r--r-- 1 1002 1002 2111 Apr 2 2004 globals.h
-rw-r--r-- 1 1002 1002 1260 Apr 2 2004 helpers.h
-rw-r--r-- 1 1002 1002 13379 Apr 2 2004 jail.c
-rw-r--r-- 1 1002 1002 1913 Apr 2 2004 Makefile
-rw-r--r-- 1 1002 1002 3790 Apr 2 2004 passwd_helpers.c
-rw-r--r-- 1 1002 1002 1396 Apr 2 2004 passwd_helpers.h
-rwxr-xr-x 1 1002 1002 1669 Apr 2 2004 preinstall.sh
-rw-r--r-- 1 1002 1002 3386 Apr 2 2004 terminal_helpers.c
-rw-r--r-- 1 1002 1002 1304 Apr 2 2004 terminal_helpers.h
-rw-r--r-- 1 1002 1002 1770 Apr 2 2004 types.h
[root@rrd src]# vim Makefile
INSTALL_DIR = /tmp/jail##找到這一行,路徑改成/usr/local/jail,保存後退出(看個人習慣)
[root@rrd src]# mkdir /usr/local/jail
[root@rrd src]# make
[root@rrd src]# make install
[root@rrd src]# /usr/local/jail/bin/mkjailenv /var/chroot
mkjailenv
A component of Jail (version 1.9 for linux)
http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <
[email protected]>
Making chrooted environment into /var/chroot
Doing preinstall()
Doing special_devices()
Doing gen_template_password()
Doing postinstall()
Done.
[root@rrd src]# ll /var/chroot/##目錄下有文件了
total 8
drwxr-xr-x 2 root root 4096 Aug 31 19:49 dev
drwxr-xr-x 2 root root 4096 Aug 31 19:49 etc
[root@rrd src]# /usr/local/jail/bin/addjailuser /var/chroot /home/prisoner /bin/bash prisoner
addjailuser
A component of Jail (version 1.9 for linux)
http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <
[email protected]>
Adding user prisoner in chrooted environment /var/chroot
Done.
[root@rrd src]# ll /var/chroot/
total 12
drwxr-xr-x 2 root root 4096 Aug 31 19:49 dev
drwxr-xr-x 2 root root 4096 Aug 31 19:49 etc
drwxr-xr-x 3 root root 4096 Aug 31 19:51 home
[root@rrd src]# /usr/local/jail/bin/addjailsw /var/chroot/
或
[root@rrd src]# /usr/local/jail/bin/addjailsw /var/chroot/ -D
或
[root@rrd src]# /usr/local/jail/bin/addjailsw /var/chroot/ -P bash "--version"
addjailsw
A component of Jail (version 1.9 for linux)
http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <
[email protected]>
Guessing mv args()
Guessing ls args()
Guessing ln args()
Guessing grep args()
Guessing cat args()
Guessing rmdir args()
Guessing vi args(-c q)
Guessing tail args()
Guessing sh args()
Guessing id args()
Guessing rm args()
Guessing head args()
Guessing cp args()
Guessing pwd args()
Guessing mkdir args()
Guessing touch args()
Guessing more args()
Warning: can't create /proc/mounts from the /proc filesystem
Warning: can't create /proc/filesystems from the /proc filesystem
Warning: not allowed to overwrite /var/chroot//etc/passwd
Warning: not allowed to overwrite /var/chroot//etc/group
Warning: can't create /proc/meminfo from the /proc filesystem
Done.
[root@rrd chroot]# ll
total 32
drwxr-xr-x 2 root root 4096 Aug 31 19:57 bin
drwxr-xr-x 2 root root 4096 Aug 31 19:56 dev
drwxr-xr-x 3 root root 4096 Aug 31 19:56 etc
drwxr-xr-x 3 root root 4096 Aug 31 19:51 home
drwxr-xr-x 2 root root 4096 Aug 31 19:56 lib64
drwsrwxrwx 2 root root 4096 Aug 31 19:57 tmp
drwxr-xr-x 6 root root 4096 Aug 31 19:56 usr
drwxr-xr-x 3 root root 4096 Aug 31 19:57 var
[root@rrd chroot]# mkdir /var/chroot/lib
[root@rrd chroot]# cp /lib/ld-linux.so.2 /var/chroot/lib/
[root@rrd chroot]# ll lib64/
total 2508
-rwxr-xr-x 1 root root 27920 Aug 31 19:56 libacl.so.1
-rwxr-xr-x 1 root root 17888 Aug 31 19:56 libattr.so.1
-rwxr-xr-x 1 root root 1717800 Aug 31 19:57 libc.so.6
-rwxr-xr-x 1 root root 23360 Aug 31 19:57 libdl.so.2
-rwxr-xr-x 1 root root 53880 Aug 31 19:56 libnss_files.so.2
-rwxr-xr-x 1 root root 117680 Aug 31 19:56 libpcre.so.0
-rwxr-xr-x 1 root root 145824 Aug 31 19:56 libpthread.so.0
-rwxr-xr-x 1 root root 53448 Aug 31 19:56 librt.so.1
-rwxr-xr-x 1 root root 95464 Aug 31 19:56 libselinux.so.1
-rwxr-xr-x 1 root root 247496 Aug 31 19:56 libsepol.so.1
-rwxr-xr-x 1 root root 15584 Aug 31 19:57 libtermcap.so.2
[root@rrd chroot]# cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64/
[root@rrd chroot]# mkdir /var/chroot/etc/bash
[root@rrd chroot]# cp /etc/bashrc /var/chroot/etc/bash/
[root@rrd chroot]# cp /etc/profile /var/chroot/etc/
[root@rrd chroot]# cp /etc/DIR_COLORS /var/chroot/etc/
[root@rrd chroot]# /usr/local/jail/bin/addjailsw /var/chroot/ -P whoami
addjailsw
A component of Jail (version 1.9 for linux)
http://www.jmcresearch.com/projects/jail/
Juan M. Casillas <
[email protected]>
Guessing whoami args(0)
Warning: file /var/chroot//lib64/libc.so.6 exists. Overwritting it
Warning: file /var/chroot//etc/ld.so.cache exists. Overwritting it
Warning: file /var/chroot//usr/lib/locale/locale-archive exists. Overwritting it
Warning: file /var/chroot//usr/share/locale/locale.alias exists. Overwritting it
Done.
如果在chroot環境中可以訪問的IP地址,但沒有域名(“名稱或服務不知道”):
[root@rrd chroot]# cp -a /lib/libnss_dns* /lib/libresolv* /var/chroot/lib/
64架構的
[root@rrd chroot]# cp -a /lib64/libnss_dns* /lib64/libresolv* /var/chroot/lib64/
[root@rrd chroot]# ll
total 36
drwxr-xr-x 2 root root 4096 Aug 31 19:57 bin
drwxr-xr-x 2 root root 4096 Aug 31 19:56 dev
drwxr-xr-x 4 root root 4096 Aug 31 20:06 etc
drwxr-xr-x 3 root root 4096 Aug 31 19:51 home
drwxr-xr-x 2 root root 4096 Aug 31 20:26 lib
drwxr-xr-x 2 root root 4096 Aug 31 20:27 lib64
drwsrwxrwx 2 root root 4096 Aug 31 20:07 tmp
drwxr-xr-x 6 root root 4096 Aug 31 19:56 usr
drwxr-xr-x 3 root root 4096 Aug 31 20:07 var
[root@rrd chroot]# ll dev/
total 0
crw-rw-rw- 1 root root 1, 3 Aug 31 19:49 null
crw-rw-rw- 1 root tty 5, 0 Aug 31 19:56 tty
cr--r--r-- 1 root root 1, 9 Aug 31 19:49 urandom
crw-rw-rw- 1 root root 1, 5 Aug 31 19:49 zero
[root@rrd chroot]# mount -o bind /dev/ /var/chroot/dev/
[root@rrd chroot]# ll dev/##會列出很多文件,就不貼出來了
[root@rrd chroot]# mount -t devpts none /var/chroot/dev/pts
[root@rrd chroot]# mkdir /var/chroot/proc