웹마스터 팁
Chroot 로 루트디렉토리 접근 금지,,
2007.08.18 15:48
서버를 셋팅하고 계정을 추가하고, SSH 엡속하니
이게 웬일, /까지 모두 이동 가능하다,, 물론 수정은 할 수 없으나,
cat 을 이용하여 내용까지 확인 가능하다,
퍼미션으로 막아보려 했으나,, 경로만 알면 다 소용없는짓,,
그러다보니 CHROOT 를 알게 되었는데, 한국에 돌아다니는 CHROOT는
계속해서 /bin/bash 파일이 없다면서,,제대로 적용이 되질 않더군요,,
안되는 영어 막 끌어내서,,찾아보고 설치해보니,,드디어 성공했답니다.
잡소리가 너무 길었군요,,
|
# /etc/rc.d/init.d/sshd stop |
|
# rpm -e --nodeps openssh-server openssh-clients openssh |
Sulinux 에 설치된 ssh 패키지를 모두 삭제 합니다.
이러한 이유때문에 모든 작업은 원격으로 설정하시면 ㅠ 안됨,
|
# tar jxvf openssh*
# vi openssh-4.5p1-chroot/contrib/redhat/openssh.spec |
%define no_x11_askpass 0 -> %define no_x11_askpass 1
%define no_gnome_askpass 0 -> %define no_gnome_askpass 1
위와같이 변경합니다.
|
# rm -rf openssh-4.5p1-chroot/contrib/aix/
# rm -rf openssh-4.5p1-chroot/contrib/hpux/
# rm -rf openssh-4.5p1-chroot/contrib/caldera/
# rm -rf openssh-4.5p1-chroot/contrib/suse/
# rm -rf openssh-4.5p1-chroot/contrib/cygwin/
# rm -rf openssh-4.5p1-chroot/contrib/solaris/
# mv openssh-4.5p1-chroot openssh-4.5p1
# tar czvf openssh-4.5p1.tar.gz openssh-4.5p1/
# rm -rf openssh-4.5p1
# yum -y install openssl-devel
# rpmbuild -tb --clean openssh-4.5p1.tar.gz |
설치 시 Zlib 버전때문에 오류가 뜰경우,,,
zlib 최신 버전을 설치하시고 rpmbuild 하세요^^.
|
# rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-4.5p1-1.i386.rpm
# rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-server-.i386.rpm
# rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-clients-386.rpm
# rm -f openssh-4.5p1.tar.gz
# rm -f openssh-4.5p1-chroot-tar.bz2 |
|
# vi /etc/yum.conf |
exclude=openssh 를 추가해주세요,
|
# vi /etc/rc.d/init.d/sshd |
initlog -c "$SSHD $OPTION" && success || failure
-> $SSHD $OPTION && success || failure
로 수정해주세요,,
|
# vi /usr/sbin/chroot-useradd |
|
#!/bin/bash
# # Usage: ./chroot-useradd username [shell] # # Here specify the apps you want into the enviroment
CMD="bash ls touch mkdir tar gzip cp mv rm pwd chmod cat vi id rsync ssh scp ping ssh-keygen perl" APPS=`which $CMD` # Sanity check
if [ "$1" = "" ] ; then echo " Usage: ./chroot-useradd username [shell]" exit 1 fi # Obtain username and HomeDir
CHROOT_USERNAME=$1 if [ "$2" = "" ] ; then useradd $CHROOT_USERNAME else useradd -s $2 $CHROOT_USERNAME fi [ $? -ne 0 ] && exit 1 usermod -d /home/$CHROOT_USERNAME/./ $CHROOT_USERNAME passwd $CHROOT_USERNAME chown $CHROOT_USERNAME /home/$CHROOT_USERNAME chgrp $CHROOT_USERNAME /home/$CHROOT_USERNAME rm -f /home/$CHROOT_USERNAME/.* > /dev/null 2>&1 HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME" | cut -d':' -f 6` cd $HOMEDIR # Create Directories no one will do it for you
mkdir -pv $HOMEDIRetc mkdir -pv $HOMEDIRbin mkdir -pv $HOMEDIRusr/bin mkdir -pv $HOMEDIRusr/libexec/openssh mkdir -pv $HOMEDIRusr/local/bin mkdir -pv $HOMEDIRdev mkdir -pv $HOMEDIRlib # Make /dev/null or sftp won't work mknod $HOMEDIRdev/null c 1 3 -m 666 # Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage echo "#!/bin/bash" > $HOMEDIRusr/bin/groups echo "id -Gn" >> $HOMEDIRusr/bin/groups chmod 755 $HOMEDIRusr/bin/groups # Add some users to ./etc/paswd
grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > $HOMEDIRetc/passwd grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > $HOMEDIRetc/group # Copy the apps and the related libs
for prog in $APPS; do cp $prog $HOMEDIR.$prog # obtain a list of related libraryes ldd $prog > /dev/null if [ "$?" = 0 ] ; then LIBS=`ldd $prog | awk '{ print $3 }'` for l in $LIBS; do mkdir -pv $HOMEDIR.`dirname $l` cp $l $HOMEDIR.$l # mkdir -p $HOMEDIR`dirname $l` > /dev/null 2>&1 # cp $l $HOMEDIR$l > /dev/null 2>&1 done fi done # From some strange reason these libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups cp /lib/libnss_compat.so.2 $HOMEDIRlib/ cp /lib/libnsl.so.1 $HOMEDIRlib/ cp /lib/libnss_files.so.2 $HOMEDIRlib/ cp /lib/ld-linux.so.2 $HOMEDIRlib/ cp /lib/libc.so.6 $HOMEDIRlib/ cp /lib/libm.so.6 $HOMEDIRlib/ cp /lib/libpthread.so.0 $HOMEDIRlib/ cp /lib/librt.so.1 $HOMEDIRlib/ cp /lib/libthread_db.so.1 $HOMEDIRlib/ cp /etc/termcap $HOMEDIRetc/ cp /usr/libexec/openssh/sftp-server $HOMEDIRusr/libexec/openssh exit 0 |
저장하시고
|
# chmod 700 /usr/sbin/chroot-useradd |
|
# chroot-useradd 유저아이디 |
이제 유저가 생성이 되고, SSH 접속해서
pwd 하시면 전에는 /home/아이디 였지만 / 로 바뀌신걸 확인 하 실 수 있을 겁니다.
136