Openresty Python LUA

Openresty Python LUA 学习资料 QQ群:397745473

0%

chroot环境搭建定制小型文件系统

发表于 分类于

QQ群:397745473

chroot环境搭建定制小型文件系统

部署目录环境

root用户操作:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
参考文章: https://blog.51cto.com/u_4585258/1285734
创建一个目录,目录结构与实际的/目录结构类似

1. # 创建用户
USERNAME="ppp"
PASSWORD="4tzQ3VPnfLAr2aCjngUm"
useradd -s /bin/bash -d /home/$USERNAME -m $USERNAME
echo "${USERNAME}:${PASSWORD}" | chpasswd


2. 将chroot目录设置在/chroot下
mkdir -p /chroot/etc
cp -vf /etc/{passwd,group} /chroot/etc/ 

mkdir -p /chroot/{etc,dev,proc,lib,bin,home,usr,lib64}
mkdir -p /chroot/usr/{bin,lib,libexec}
mkdir -p /chroot/home/ppp

3. 拷贝/etc/passwd文件
cp -a /etc/passwd /chroot/etc/passwd
然后删除里面的无关用户。

4. 拷贝需要的命令例如
chrootPath="/chroot/";
commandList="bash ls ps du echo date ping ifconfig curl id grep uname sh";
for command in $commandList; do
  cp -L "$(which $command)" "$chrootPath$(dirname $(which $command))"
  cd "$chrootPath";
  list=`ldd $(which $command) | egrep -o '/lib.*\.[0-9]'`;
  for i in $list; do cp -v -L --parents "$i" "./"; done
done


拷贝用户下的信息
cp -a /home/$USERNAME/* /chroot//home/$USERNAME
简单测试一下,看看chroot命令是否可以用该目录当作/环境。
chroot /chroot
没有错误信息即可,正常应显示bash的信息。

ssh设置

这里应该有点问题, 需要参考其他资料.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
cat /etc/ssh/sshd_config | grep UsePAM
确保
UsePAM yes
默认为yes


3. pam验证增加chroot模块
apt-get install libpam-chroot
root@C:/etc/security# sudo updatedb
root@C:/etc/security# locate pam_chroot.so
/usr/lib/x86_64-linux-gnu/pam_chroot.so

cp /usr/lib/x86_64-linux-gnu/pam_chroot.so /lib/security/

pam_chroot.so 执行后会读取配置文件以决定是否使用chroot环境。
/etc/security/chroot.conf
[root@localhost security]# cat chroot.conf

# /etc/security/chroot.conf
# format:
# username_regex        chroot_dir
#matthew                /home

增加下面一行

ppp                     /chroot


4. 调试ssh服务

测试:
ssh ppp@192.168.13.136

登录失败,打开/var/log/secure日志查看:

Aug 19 07:08:52 localhost sshd[9993]: pam_env(sshd:setcred): Unable to open config     file: /etc/security/pam_env.conf: No such file or directory

  Aug 19 07:08:52 localhost sshd[9978]: error: openpty: No such file or directory

  Aug 19 07:08:52 localhost sshd[9993]: error: session_pty_req: session 0 alloc failed

cp -a /etc/security /chroot/etc/


为chroot准备dev环境,准备pts环境以及准备proc环境
mount --bind /dev /chroot/dev
mount -t devpts -o pid=5,mode=620 devpts /chroot/dev/pts
mount -t proc /proc /chroot/proc/



再次登录测试:
ssh ppp@192.168.13.136
Aug 2007:08:52 localhost sshd[21426]: pam_env(sshd:setcred): Unable to open env file:        /etc/environment: No such file or directory

Aug 2007:08:52 localhost sshd[21390]: error: ssh_selinux_setup_pty: security_compute_relabel: No such file or directory



cp -a /etc/environment /chroot/etc/

重新测试:

ssh ppp@192.168.13.136
ppp@192.168.13.136's password:
-bash-3.5$

OK,可以正常登录了。

5. 环境设置

最简单的就是不设置环境,使用bash版本号作为提示符。

或者也可以按正常的用户一样设置提示符,需要做的操作比较多。

cp -a /etc/{profile,profile.d,bashrc}  /chroot/etc/

如果SSH登录不能上传下载文件的话,有可能是sftp的问题
[root@localhost ssh]# cat sshd_config | tail -1
Subsystem       sftp    /usr/libexec/openssh/sftp-server

可能是sftp-server没有加载
cp -a /usr/libexec/openssh/sftp-server /chroot/usr/libexec/openssh/sftp-server

然后在/chroot/home/ppp/目录下修改.bashrc文件

再最前面加一行
[ -z "$PS1" ] && return
或者:
[$-!=*i*]&&return
. .bashrc  执行加载
ssh登录即可上传下载文件。

其他ChatGPT生成的参考脚本

001

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/bash

# 指定chroot的目录
chroot_path="/chroot"

# 指定创建的用户名和密码
username="testuser"
password="testpassword"

# 创建chroot目录
if [ ! -d $chroot_path ]; then
    mkdir $chroot_path
fi

# 下载和安装需要的软件包
apt update
apt install -y debootstrap schroot openssh-server

# 使用debootstrap创建chroot环境
debootstrap --variant=buildd --arch=amd64 stretch $chroot_path http://mirrors.ustc.edu.cn/debian/

# 复制命令和依赖库到chroot环境
command_list="bash ls ps du vi echo date"
for command in $command_list; do
    cp -a "/bin/$command" "$chroot_path/bin/"
    cd "$chroot_path"
    libs=`ldd /bin/$command | awk '{print $3}' | grep -v "^$"`
    for lib in $libs; do
        lib_path=`readlink -f $lib`
        cp -v --parents "$lib_path" "./" || cp -v "$lib_path" "./"
    done
done

# 在chroot环境中创建用户和设置密码
cp /etc/passwd $chroot_path/etc/passwd
cp /etc/group $chroot_path/etc/group
cp /etc/shadow $chroot_path/etc/shadow
useradd -m $username -d /home/$username -s /bin/bash
echo "${username}:${password}" | chroot $chroot_path chpasswd

# 安装sshd并配置
chroot $chroot_path apt update
chroot $chroot_path apt install -y openssh-server
chroot $chroot_path sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
chroot $chroot_path sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config
chroot $chroot_path /etc/init.d/ssh restart

echo "chroot环境创建完成,用户名为 $username,密码为 $password"

002

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/bin/bash

# 定义变量
CHROOT_PATH="/chroot"
USERNAME="user"
PASSWORD="password"
SSHD_PORT="8822"
SSHD_CONFIG="${CHROOT_PATH}/etc/ssh/sshd_config"
SSHD_SERVICE="${CHROOT_PATH}/etc/systemd/system/sshd.service"
SSHD_SERVICE_CONTENT="
[Unit]
Description=OpenBSD Secure Shell server
After=syslog.target network.target auditd.service

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D \$SSHD_OPTS
ExecReload=/bin/kill -HUP \$MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
"

# 创建 chroot 环境
mkdir -p $CHROOT_PATH
cd $CHROOT_PATH
mkdir bin home lib64 usr var/run/sshd etc/ssh/ etc/systemd/system/ -p
chmod 700 var/run/sshd

# 拷贝命令和动态链接库
command_list="bash ls ps du cat echo date"
for command in $command_list; do
    cp -a "/bin/$command" "$CHROOT_PATH/bin/"
    cd "$chroot_path"
    libs=`ldd /bin/$command | awk '{print $3}' | grep -v "^$"`
    for lib in $libs; do
        lib_path=`readlink -f $lib`
        cp -v $lib ./lib/
        cp -v --parents "$lib_path" "./" || cp -v "$lib_path" "./"
    done
done

# 拷贝 sshd_config
cp -v /etc/ssh/sshd_config $SSHD_CONFIG

# 修改 sshd_config
sed -i "s/#Port 22/Port ${SSHD_PORT}/" $SSHD_CONFIG
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" $SSHD_CONFIG
sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/" $SSHD_CONFIG
sed -i "s/UsePAM yes/UsePAM no/" $SSHD_CONFIG
echo "Match User ${USERNAME}" >> $SSHD_CONFIG
echo "  ChrootDirectory ${CHROOT_PATH}" >> $SSHD_CONFIG

# 拷贝 nsswitch.conf
cp /etc/nsswitch.conf $CHROOT_PATH/etc/nsswitch.conf

# 拷贝 resolv.conf
cp /etc/resolv.conf $CHROOT_PATH/etc/resolv.conf

# 创建用户
useradd -s /bin/bash -d /home/$USERNAME -m $USERNAME
echo "${USERNAME}:${PASSWORD}" | chpasswd

# 生成 systemd service 文件
echo "$SSHD_SERVICE_CONTENT" > $SSHD_SERVICE

# 开启 sshd 服务
systemctl enable sshd.service
systemctl start sshd.service

echo "chroot 环境已经创建,可以通过 ssh ${USERNAME}@localhost -p ${SSHD_PORT} 进入 chroot 环境。"

QQ群:397745473

相关文章

欢迎关注我的其它发布渠道