pam_chroot
[root@node1 ~]# cat /etc/issueRed Hat Enterprise Linux Serverrelease 5.8 (Tikanga)
Kernel \r on an \m
建立测试用户
[root@node1 ~]# useradd test
[root@node1 ~]# mkdir /chroot
[root@node1 ~]# export _DIR=/chroot
[root@node1 ~]# export _USER=test
创建必要的设备文件
[root@node1 ~]# mkdir -pv$_DIR/{etc,bin,dev/pts,lib,home/$_USER,proc}
[root@node1 ~]# mknod -m 644$_DIR/dev/tty1 c 4 1
[root@node1 ~]# mknod -m 644$_DIR/dev/tty2 c 4 2
[root@node1 ~]# mknod -m 644 $_DIR/dev/tty3 c 4 3
[root@node1 ~]# mknod -m 644$_DIR/dev/tty4 c 4 4
[root@node1 ~]# mknod -m 644$_DIR/dev/tty5 c 4 5
[root@node1 ~]# mknod -m 644$_DIR/dev/tty6 c 4 6
[root@node1 ~]# mknod -m 444$_DIR/dev/urandom c 1 9
[root@node1 ~]# mknod -m 666$_DIR/dev/zero c 1 5
[root@node1 ~]# mknod -m 666$_DIR/dev/null c 1 3
[root@node1 ~]# mknod -m 666$_DIR/dev/ptmx c 5 2
[root@node1 ~]# vim /etc/fstab
devpts /chroot/dev/pts
devpts
gid=5,mode=620 0 0
proc /chroot/proc proc defaults 0 0
[root@node1 ~]# cp /bin/bash/bin/false /bin/pwd /usr/sbin/sshd /bin/true $_DIR/bin/
可以用 ldd 命令查看每个可执行文件需要的 lib
[root@node1 lib]# ls $_DIR/lib
ld-linux.so.2 libfipscheck.so.1 libnspr4.so
libaudit.so.0 libgssapi_krb5.so.2 libnss3.so
libcom_err.so.2 libk5crypto.so.3 libnssutil3.so
libcrypto.so.6 libkeyutils.so.1 libpam.so.0
libcrypt.so.1 libkrb5.so.3 libplc4.so
libc.so.6 libkrb5support.so.0 libplds4.so
libdl.so.2 libnsl.so.1 libpthread.so.0
配置文件
libresolv.so.2
libselinux.so.1
libsepol.so.1
libtermcap.so.2
libutil.so.1
libwrap.so.0
libz.so.1
[root@node1 ~]# echo "$_USER
[root@node1 ~]# echo "session
[root@node1 ~]# echo "session
$_DIR">>/etc/security/chroot.conf
required pam_chroot.so" >>/etc/pam.d/sshd
required pam_chroot.so">>/etc/pam.d/login
[root@node1 ~]# grep"root:\|$_USER" /etc/passwd > $_DIR/etc/passwd
[root@node1 ~]# grep"root:\|$_USER" /etc/group > $_DIR/etc/group
[root@node1 ~]# chown -R root:root$_DIR
[root@node1 ~]# chown -R$_USER:$_USER $_DIR/home/$_USER
重新启动服务
[root@node1 ~]# service sshd restart
客户端测试
[root@Server250 ~]# sshtest@192.168.122.10
test@192.168.122.10's password:
-bash-3.2$ ls
-bash: ls: command not found
服务器查看 sshd 进程
[root@node1 ~]# ps -ef | grep sshd
root 10131 1 0 12:06 ?
root 10249 10131 0 12:21 ?
root 10287 10131 0 12:24 ?
test 10291 10287 0 12:24 ?
root 10296 10253 0 12:24 pts/0
00:00:00 /usr/sbin/sshd
00:00:00 sshd: root@pts/0
00:00:00 sshd: test [priv]
00:00:00 sshd: test@pts/1
00:00:00 grep sshd
[root@node1 ~]# ls -l/proc/10291/root
lrwxrwxrwx 1 root root 0 11-05 12:24/proc/10291/root -> /chroot
cp /bin/uname /chroot/bin/
cp /usr/bin/dirname /chroot/bin/
cp /bin/touch /chroot/bin/
cp /lib/tls/librt.so.1 /chroot/lib/tls
cp /usr/bin/tty /chroot/bin/
补充:综合编程 , 其他综合 ,
