B.7. Chroot environment for SSH

Creating a restricted environment for SSH is a tough job due to its dependencies and the fact that, unlike other servers, SSH provides a remote shell to users. Thus, you will also have to consider the applications users will be allowed to use in the environment.

You have two options to setup a restricted remote shell:

  • Chrooting the ssh users, by properly configuring the ssh daemon you can ask it to chroot a user after authentication just before it is provided a shell. Each user can have their own environment.

  • Chrooting the ssh server, since you chroot the ssh application itself all users are chrooted to the defined environment.

The first option has the advantage of making it possible to have both non-chrooted and chrooted users, if you don’t introduce any setuid application in the user’s chroots it is more difficult to break out of it. However, you might need to setup individual chroots for each user and it is more difficult to setup (as it requires cooperation from the SSH server). The second option is more easy to setup, and protects from an exploitation of the ssh server itself (since it’s also in the chroot) but it will have the limitation that all users will share the same chroot environment (you cannot setup a per-user chroot environment).

B.7.1. Chrooting the ssh users

You can setup the ssh server so that it will chroot a set of defined users into a shell with a limited set of applications available.

B.7.1.1. Using libpam-chroot

Probably the easiest way is to use the libpam-chroot package provided in Debian. Once you install it you need to:

  • Modify /etc/pam.d/ssh to use this PAM module, add as its last line[80]:

    1. session required pam_chroot.so
  • set a proper chroot environment for the user. You can try using the scripts available at /usr/share/doc/libpam-chroot/examples/, use the makejail[81] program or setup a minimum Debian environment with debootstrap. Make sure the environment includes the needed devices [82].

  • Configure /etc/security/chroot.conf so that the users you determine are chrooted to the directory you setup previously. You might want to have independent directories for different users so that they will not be able to see neither the whole system nor each other’s.

  • Configure SSH: Depending on your OpenSSH version the chroot environment might work straight of the box or not. Since 3.6.1p2 the do_pam_session() function is called after sshd has dropped privileges, since chroot() needs root priviledges it will not work with Privilege separation on. In newer OpenSSH versions, however, the PAM code has been modified and do_pam_session is called before dropping priviledges so it will work even with Privilege separation is on. If you have to disable it modify /etc/ssh/sshd_config like this:

    1. UsePrivilegeSeparation no

    Notice that this will lower the security of your system since the OpenSSH server will then run as root user. This means that if a remote attack is found against OpenSSH an attacker will get root privileges instead of sshd, thus compromising the whole system. [83]

If you don’t disable Privilege Separation you will need an /etc/passwd which includes the user’s UID inside the chroot for Privilege Separation to work properly.

If you have Privilege Separation set to yes and your OpenSSH version does not behave properly you will need to disable it. If you don’t, users that try to connect to your server and would be chrooted by this module will see this:

  1. $ ssh -l user server
  2. user@server's password:
  3. Connection to server closed by remote host.
  4. Connection to server closed.

This is because the ssh daemon, which is running as ‘sshd’, is not be able to make the chroot() system call. To disable Privilege separation you have to modify the /etc/ssh/sshd_config configuration file as described above.

Notice that if any of the following is missing the users will not be able to logon to the chroot:

  • The /proc filesystem needs to be mounted in the users’ chroot.

  • The necessary /dev/pts/ devices need to exist. If the files are generated by your running kernel automatically then you have to manually create them on the chroot’s /dev/.

  • The user’s home directory has to exist in the chroot, otherwise the ssh daemon will not continue.

You can debug all these issues if you use the debug keyword in the /etc/pam.d/ssh PAM definition. If you encounter issues you might find it useful to enable the debugging mode on the ssh client too.

Note: This information is also available (and maybe more up to date) in /usr/share/doc/libpam-chroot/README.Debian.gz, please review it for updated information before taking the above steps.

B.7.1.2. Patching the ssh server

Debian’s sshd does not allow restriction of a user’s movement through the server, since it lacks the chroot function that the commercial program sshd2 includes (using ‘ChrootGroups’ or ‘ChrootUsers’, see sshd2_config(5)). However, there is a patch available to add this functionality available from http://chrootssh.sourceforge.net (requested and available in http://bugs.debian.org/139047 in Debian). The patch may be included in future releases of the OpenSSH package. Emmanuel Lacour has ssh deb packages for sarge with this feature. They are available at http://debian.home-dn.net/sarge/ssh/. Notice that those might not be up to date so completing the compilation step is recommended.

After applying the patch, modify /etc/passwd by changing the home path of the users (with the special /./ token):

  1. joeuser:x:1099:1099:Joe Random User:/home/joe/./:/bin/bash

这将限制通过 ssh 隧道的远程 shell 访问, 和通过 ssh 隧道进行的远程拷贝.

确保用户的 chroot 目录下包含了所有需要的程序和库文件. 这些文件的宿主应当是 root 以避免被用户篡改(在用户退出 chroot jail 时). 下边是一个范例:

  1. ./bin:
  2. total 660
  3. drwxr-xr-x 2 root root 4096 Mar 18 13:36 .
  4. drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
  5. -r-xr-xr-x 1 root root 531160 Feb 6 22:36 bash
  6. -r-xr-xr-x 1 root root 43916 Nov 29 13:19 ls
  7. -r-xr-xr-x 1 root root 16684 Nov 29 13:19 mkdir
  8. -rwxr-xr-x 1 root root 23960 Mar 18 13:36 more
  9. -r-xr-xr-x 1 root root 9916 Jul 26 2001 pwd
  10. -r-xr-xr-x 1 root root 24780 Nov 29 13:19 rm
  11. lrwxrwxrwx 1 root root 4 Mar 30 16:29 sh -> bash
  1. ./etc:
  2. total 24
  3. drwxr-xr-x 2 root root 4096 Mar 15 16:13 .
  4. drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
  5. -rw-r--r-- 1 root root 54 Mar 15 13:23 group
  6. -rw-r--r-- 1 root root 428 Mar 15 15:56 hosts
  7. -rw-r--r-- 1 root root 44 Mar 15 15:53 passwd
  8. -rw-r--r-- 1 root root 52 Mar 15 13:23 shells
  1. ./lib:
  2. total 1848
  3. drwxr-xr-x 2 root root 4096 Mar 18 13:37 .
  4. drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
  5. -rwxr-xr-x 1 root root 92511 Mar 15 12:49 ld-linux.so.2
  6. -rwxr-xr-x 1 root root 1170812 Mar 15 12:49 libc.so.6
  7. -rw-r--r-- 1 root root 20900 Mar 15 13:01 libcrypt.so.1
  8. -rw-r--r-- 1 root root 9436 Mar 15 12:49 libdl.so.2
  9. -rw-r--r-- 1 root root 248132 Mar 15 12:48 libncurses.so.5
  10. -rw-r--r-- 1 root root 71332 Mar 15 13:00 libnsl.so.1
  11. -rw-r--r-- 1 root root 34144 Mar 15 16:10
  12. libnss_files.so.2
  13. -rw-r--r-- 1 root root 29420 Mar 15 12:57 libpam.so.0
  14. -rw-r--r-- 1 root root 105498 Mar 15 12:51 libpthread.so.0
  15. -rw-r--r-- 1 root root 25596 Mar 15 12:51 librt.so.1
  16. -rw-r--r-- 1 root root 7760 Mar 15 12:59 libutil.so.1
  17. -rw-r--r-- 1 root root 24328 Mar 15 12:57 libwrap.so.0
  1. ./usr:
  2. total 16
  3. drwxr-xr-x 4 root root 4096 Mar 15 13:00 .
  4. drwxr-xr-x 8 guest guest 4096 Mar 15 16:53 ..
  5. drwxr-xr-x 2 root root 4096 Mar 15 15:55 bin
  6. drwxr-xr-x 2 root root 4096 Mar 15 15:37 lib
  1. ./usr/bin:
  2. total 340
  3. drwxr-xr-x 2 root root 4096 Mar 15 15:55 .
  4. drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..
  5. -rwxr-xr-x 1 root root 10332 Mar 15 15:55 env
  6. -rwxr-xr-x 1 root root 13052 Mar 15 13:13 id
  7. -r-xr-xr-x 1 root root 25432 Mar 15 12:40 scp
  8. -rwxr-xr-x 1 root root 43768 Mar 15 15:15 sftp
  9. -r-sr-xr-x 1 root root 218456 Mar 15 12:40 ssh
  10. -rwxr-xr-x 1 root root 9692 Mar 15 13:17 tty
  1. ./usr/lib:
  2. total 852
  3. drwxr-xr-x 2 root root 4096 Mar 15 15:37 .
  4. drwxr-xr-x 4 root root 4096 Mar 15 13:00 ..
  5. -rw-r--r-- 1 root root 771088 Mar 15 13:01
  6. libcrypto.so.0.9.6
  7. -rw-r--r-- 1 root root 54548 Mar 15 13:00 libz.so.1
  8. -rwxr-xr-x 1 root root 23096 Mar 15 15:37 sftp-server

B.7.2. Chrooting the ssh server

If you create a chroot which includes the SSH server files in, for example /var/chroot/ssh, you would start the ssh server chroot‘ed with this command:

  1. # chroot /var/chroot/ssh /sbin/sshd -f /etc/sshd_config

That would make startup the sshd daemon inside the chroot. In order to do that you have to first prepare the contents of the /var/chroot/ssh directory so that it includes both the SSH server and all the utilities that the users connecting to that server might need. If you are doing this you should make certain that OpenSSH uses Privilege Separation (which is the default) having the following line in the configuration file /etc/ssh/sshd_config:

  1. UsePrivilegeSeparation yes

That way the remote daemon will do as few things as possible as the root user so even if there is a bug in it it will not compromise the chroot. Notice that, unlike the case in which you setup a per-user chroot, the ssh daemon is running in the same chroot as the users so there is at least one potential process running as root which could break out of the chroot.

Notice, also, that in order for SSH to work in that location, the partition where the chroot directory resides cannot be mounted with the nodev option. If you use that option, then you will get the following error: PRNG is not seeded, because /dev/urandom does not work in the chroot.

B.7.2.1. Setup a minimal system (the really easy way)

You can use debootstrap to setup a minimal environment that just includes the ssh server. In order to do this you just have to create a chroot as described in the http://www.debian.org/doc/manuals/reference/ch09#_chroot_system document. This method is bound to work (you will get all the necessary componentes for the chroot) but at the cost of disk space (a minimal installation of Debian will amount to several hundred megabytes). This minimal system might also include setuid files that a user in the chroot could use to break out of the chroot if any of those could be use for a privilege escalation.

B.7.2.2. 环境的自动构建(简单的方式)

You can easily create a restricted environment with the makejail package, since it automatically takes care of tracing the server daemon (with strace), and makes it run under the restricted environment.

自动构建 chroot 环境程序的优势在于它能为 chroot 环境复制任何软件包(甚至下边的依赖包, 并能保证其完整性). 因此, 用户使用起来更加容易.

To set up the environment using makejail‘s provided examples, just create /var/chroot/sshd and use the command:

  1. # makejail /usr/share/doc/makejail/examples/sshd.py

This will setup the chroot in the /var/chroot/sshd directory. Notice that this chroot will not fully work unless you:

  • Mount the procfs filesystem in /var/chroot/sshd/proc. Makejail will mount it for you but if the system reboots you need to remount it running:

    1. # mount -t proc proc /var/chroot/sshd/proc

    You can also have it be mounted automatically by editing /etc/fstab and including this line:

    1. proc-ssh /var/chroot/sshd/proc proc none 0 0
  • Have syslog listen to the device /dev/log inside the chroot. In order to do this you have modify /etc/default/syslogd and add -a /var/chroot/sshd/dev/log to the SYSLOGD variable definition.

Read the sample file to see what other changes need to be made to the environment. Some of these changes, such as copying user’s home directories, cannot be done automatically. Also, limit the exposure of sensitive information by only copying the data from a given number of users from the files /etc/shadow or /etc/group. Notice that if you are using Privilege Separation the sshd user needs to exist in those files.

The following sample environment has been (slightly) tested in Debian 3.0 and is built with the configuration file provided in the package and includes the fileutils package:

  1. .
  2. |-- bin
  3. | |-- ash
  4. | |-- bash
  5. | |-- chgrp
  6. | |-- chmod
  7. | |-- chown
  8. | |-- cp
  9. | |-- csh -> /etc/alternatives/csh
  10. | |-- dd
  11. | |-- df
  12. | |-- dir
  13. | |-- fdflush
  14. | |-- ksh
  15. | |-- ln
  16. | |-- ls
  17. | |-- mkdir
  18. | |-- mknod
  19. | |-- mv
  20. | |-- rbash -> bash
  21. | |-- rm
  22. | |-- rmdir
  23. | |-- sh -> bash
  24. | |-- sync
  25. | |-- tcsh
  26. | |-- touch
  27. | |-- vdir
  28. | |-- zsh -> /etc/alternatives/zsh
  29. | `-- zsh4
  30. |-- dev
  31. | |-- null
  32. | |-- ptmx
  33. | |-- pts
  34. | |-- ptya0
  35. (...)
  36. | |-- tty
  37. | |-- tty0
  38. (...)
  39. | `-- urandom
  40. |-- etc
  41. | |-- alternatives
  42. | | |-- csh -> /bin/tcsh
  43. | | `-- zsh -> /bin/zsh4
  44. | |-- environment
  45. | |-- hosts
  46. | |-- hosts.allow
  47. | |-- hosts.deny
  48. | |-- ld.so.conf
  49. | |-- localtime -> /usr/share/zoneinfo/Europe/Madrid
  50. | |-- motd
  51. | |-- nsswitch.conf
  52. | |-- pam.conf
  53. | |-- pam.d
  54. | | |-- other
  55. | | `-- ssh
  56. | |-- passwd
  57. | |-- resolv.conf
  58. | |-- security
  59. | | |-- access.conf
  60. | | |-- chroot.conf
  61. | | |-- group.conf
  62. | | |-- limits.conf
  63. | | |-- pam_env.conf
  64. | | `-- time.conf
  65. | |-- shadow
  66. | |-- shells
  67. | `-- ssh
  68. | |-- moduli
  69. | |-- ssh_host_dsa_key
  70. | |-- ssh_host_dsa_key.pub
  71. | |-- ssh_host_rsa_key
  72. | |-- ssh_host_rsa_key.pub
  73. | `-- sshd_config
  74. |-- home
  75. | `-- userX
  76. |-- lib
  77. | |-- ld-2.2.5.so
  78. | |-- ld-linux.so.2 -> ld-2.2.5.so
  79. | |-- libc-2.2.5.so
  80. | |-- libc.so.6 -> libc-2.2.5.so
  81. | |-- libcap.so.1 -> libcap.so.1.10
  82. | |-- libcap.so.1.10
  83. | |-- libcrypt-2.2.5.so
  84. | |-- libcrypt.so.1 -> libcrypt-2.2.5.so
  85. | |-- libdl-2.2.5.so
  86. | |-- libdl.so.2 -> libdl-2.2.5.so
  87. | |-- libm-2.2.5.so
  88. | |-- libm.so.6 -> libm-2.2.5.so
  89. | |-- libncurses.so.5 -> libncurses.so.5.2
  90. | |-- libncurses.so.5.2
  91. | |-- libnsl-2.2.5.so
  92. | |-- libnsl.so.1 -> libnsl-2.2.5.so
  93. | |-- libnss_compat-2.2.5.so
  94. | |-- libnss_compat.so.2 -> libnss_compat-2.2.5.so
  95. | |-- libnss_db-2.2.so
  96. | |-- libnss_db.so.2 -> libnss_db-2.2.so
  97. | |-- libnss_dns-2.2.5.so
  98. | |-- libnss_dns.so.2 -> libnss_dns-2.2.5.so
  99. | |-- libnss_files-2.2.5.so
  100. | |-- libnss_files.so.2 -> libnss_files-2.2.5.so
  101. | |-- libnss_hesiod-2.2.5.so
  102. | |-- libnss_hesiod.so.2 -> libnss_hesiod-2.2.5.so
  103. | |-- libnss_nis-2.2.5.so
  104. | |-- libnss_nis.so.2 -> libnss_nis-2.2.5.so
  105. | |-- libnss_nisplus-2.2.5.so
  106. | |-- libnss_nisplus.so.2 -> libnss_nisplus-2.2.5.so
  107. | |-- libpam.so.0 -> libpam.so.0.72
  108. | |-- libpam.so.0.72
  109. | |-- libpthread-0.9.so
  110. | |-- libpthread.so.0 -> libpthread-0.9.so
  111. | |-- libresolv-2.2.5.so
  112. | |-- libresolv.so.2 -> libresolv-2.2.5.so
  113. | |-- librt-2.2.5.so
  114. | |-- librt.so.1 -> librt-2.2.5.so
  115. | |-- libutil-2.2.5.so
  116. | |-- libutil.so.1 -> libutil-2.2.5.so
  117. | |-- libwrap.so.0 -> libwrap.so.0.7.6
  118. | |-- libwrap.so.0.7.6
  119. | `-- security
  120. | |-- pam_access.so
  121. | |-- pam_chroot.so
  122. | |-- pam_deny.so
  123. | |-- pam_env.so
  124. | |-- pam_filter.so
  125. | |-- pam_ftp.so
  126. | |-- pam_group.so
  127. | |-- pam_issue.so
  128. | |-- pam_lastlog.so
  129. | |-- pam_limits.so
  130. | |-- pam_listfile.so
  131. | |-- pam_mail.so
  132. | |-- pam_mkhomedir.so
  133. | |-- pam_motd.so
  134. | |-- pam_nologin.so
  135. | |-- pam_permit.so
  136. | |-- pam_rhosts_auth.so
  137. | |-- pam_rootok.so
  138. | |-- pam_securetty.so
  139. | |-- pam_shells.so
  140. | |-- pam_stress.so
  141. | |-- pam_tally.so
  142. | |-- pam_time.so
  143. | |-- pam_unix.so
  144. | |-- pam_unix_acct.so -> pam_unix.so
  145. | |-- pam_unix_auth.so -> pam_unix.so
  146. | |-- pam_unix_passwd.so -> pam_unix.so
  147. | |-- pam_unix_session.so -> pam_unix.so
  148. | |-- pam_userdb.so
  149. | |-- pam_warn.so
  150. | `-- pam_wheel.so
  151. |-- sbin
  152. | `-- start-stop-daemon
  153. |-- usr
  154. | |-- bin
  155. | | |-- dircolors
  156. | | |-- du
  157. | | |-- install
  158. | | |-- link
  159. | | |-- mkfifo
  160. | | |-- shred
  161. | | |-- touch -> /bin/touch
  162. | | `-- unlink
  163. | |-- lib
  164. | | |-- libcrypto.so.0.9.6
  165. | | |-- libdb3.so.3 -> libdb3.so.3.0.2
  166. | | |-- libdb3.so.3.0.2
  167. | | |-- libz.so.1 -> libz.so.1.1.4
  168. | | `-- libz.so.1.1.4
  169. | |-- sbin
  170. | | `-- sshd
  171. | `-- share
  172. | |-- locale
  173. | | `-- es
  174. | | |-- LC_MESSAGES
  175. | | | |-- fileutils.mo
  176. | | | |-- libc.mo
  177. | | | `-- sh-utils.mo
  178. | | `-- LC_TIME -> LC_MESSAGES
  179. | `-- zoneinfo
  180. | `-- Europe
  181. | `-- Madrid
  182. `-- var
  183. `-- run
  184. |-- sshd
  185. `-- sshd.pid
  186.  
  187. 27 directories, 733 files

For Debian release 3.1 you have to make sure that the environment includes also the common files for PAM. The following files need to be copied over to the chroot if makejail did not do it for you:

  1. $ ls /etc/pam.d/common-*
  2. /etc/pam.d/common-account /etc/pam.d/common-password
  3. /etc/pam.d/common-auth /etc/pam.d/common-session

B.7.2.3. Manually creating the environment (the hard way)

It is possible to create an environment, using a trial-and-error method, by monitoring the sshd server traces and log files in order to determine the necessary files. The following environment, contributed by José Luis Ledesma, is a sample listing of files in a chroot environment for ssh in Debian woody (3.0): [84]

  1. .:
  2. total 36
  3. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ./
  4. drwxr-xr-x 11 root root 4096 Jun 3 13:43 ../
  5. drwxr-xr-x 2 root root 4096 Jun 4 12:13 bin/
  6. drwxr-xr-x 2 root root 4096 Jun 4 12:16 dev/
  7. drwxr-xr-x 4 root root 4096 Jun 4 12:35 etc/
  8. drwxr-xr-x 3 root root 4096 Jun 4 12:13 lib/
  9. drwxr-xr-x 2 root root 4096 Jun 4 12:35 sbin/
  10. drwxr-xr-x 2 root root 4096 Jun 4 12:32 tmp/
  11. drwxr-xr-x 2 root root 4096 Jun 4 12:16 usr/
  12. ./bin:
  13. total 8368
  14. drwxr-xr-x 2 root root 4096 Jun 4 12:13 ./
  15. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
  16. -rwxr-xr-x 1 root root 109855 Jun 3 13:45 a2p*
  17. -rwxr-xr-x 1 root root 387764 Jun 3 13:45 bash*
  18. -rwxr-xr-x 1 root root 36365 Jun 3 13:45 c2ph*
  19. -rwxr-xr-x 1 root root 20629 Jun 3 13:45 dprofpp*
  20. -rwxr-xr-x 1 root root 6956 Jun 3 13:46 env*
  21. -rwxr-xr-x 1 root root 158116 Jun 3 13:45 fax2ps*
  22. -rwxr-xr-x 1 root root 104008 Jun 3 13:45 faxalter*
  23. -rwxr-xr-x 1 root root 89340 Jun 3 13:45 faxcover*
  24. -rwxr-xr-x 1 root root 441584 Jun 3 13:45 faxmail*
  25. -rwxr-xr-x 1 root root 96036 Jun 3 13:45 faxrm*
  26. -rwxr-xr-x 1 root root 107000 Jun 3 13:45 faxstat*
  27. -rwxr-xr-x 1 root root 77832 Jun 4 11:46 grep*
  28. -rwxr-xr-x 1 root root 19597 Jun 3 13:45 h2ph*
  29. -rwxr-xr-x 1 root root 46979 Jun 3 13:45 h2xs*
  30. -rwxr-xr-x 1 root root 10420 Jun 3 13:46 id*
  31. -rwxr-xr-x 1 root root 4528 Jun 3 13:46 ldd*
  32. -rwxr-xr-x 1 root root 111386 Jun 4 11:46 less*
  33. -r-xr-xr-x 1 root root 26168 Jun 3 13:45 login*
  34. -rwxr-xr-x 1 root root 49164 Jun 3 13:45 ls*
  35. -rwxr-xr-x 1 root root 11600 Jun 3 13:45 mkdir*
  36. -rwxr-xr-x 1 root root 24780 Jun 3 13:45 more*
  37. -rwxr-xr-x 1 root root 154980 Jun 3 13:45 pal2rgb*
  38. -rwxr-xr-x 1 root root 27920 Jun 3 13:46 passwd*
  39. -rwxr-xr-x 1 root root 4241 Jun 3 13:45 pl2pm*
  40. -rwxr-xr-x 1 root root 2350 Jun 3 13:45 pod2html*
  41. -rwxr-xr-x 1 root root 7875 Jun 3 13:45 pod2latex*
  42. -rwxr-xr-x 1 root root 17587 Jun 3 13:45 pod2man*
  43. -rwxr-xr-x 1 root root 6877 Jun 3 13:45 pod2text*
  44. -rwxr-xr-x 1 root root 3300 Jun 3 13:45 pod2usage*
  45. -rwxr-xr-x 1 root root 3341 Jun 3 13:45 podchecker*
  46. -rwxr-xr-x 1 root root 2483 Jun 3 13:45 podselect*
  47. -r-xr-xr-x 1 root root 82412 Jun 4 11:46 ps*
  48. -rwxr-xr-x 1 root root 36365 Jun 3 13:45 pstruct*
  49. -rwxr-xr-x 1 root root 7120 Jun 3 13:45 pwd*
  50. -rwxr-xr-x 1 root root 179884 Jun 3 13:45 rgb2ycbcr*
  51. -rwxr-xr-x 1 root root 20532 Jun 3 13:45 rm*
  52. -rwxr-xr-x 1 root root 6720 Jun 4 10:15 rmdir*
  53. -rwxr-xr-x 1 root root 14705 Jun 3 13:45 s2p*
  54. -rwxr-xr-x 1 root root 28764 Jun 3 13:46 scp*
  55. -rwxr-xr-x 1 root root 385000 Jun 3 13:45 sendfax*
  56. -rwxr-xr-x 1 root root 67548 Jun 3 13:45 sendpage*
  57. -rwxr-xr-x 1 root root 88632 Jun 3 13:46 sftp*
  58. -rwxr-xr-x 1 root root 387764 Jun 3 13:45 sh*
  59. -rws--x--x 1 root root 744500 Jun 3 13:46 slogin*
  60. -rwxr-xr-x 1 root root 14523 Jun 3 13:46 splain*
  61. -rws--x--x 1 root root 744500 Jun 3 13:46 ssh*
  62. -rwxr-xr-x 1 root root 570960 Jun 3 13:46 ssh-add*
  63. -rwxr-xr-x 1 root root 502952 Jun 3 13:46 ssh-agent*
  64. -rwxr-xr-x 1 root root 575740 Jun 3 13:46 ssh-keygen*
  65. -rwxr-xr-x 1 root root 383480 Jun 3 13:46 ssh-keyscan*
  66. -rwxr-xr-x 1 root root 39 Jun 3 13:46 ssh_europa*
  67. -rwxr-xr-x 1 root root 107252 Jun 4 10:14 strace*
  68. -rwxr-xr-x 1 root root 8323 Jun 4 10:14 strace-graph*
  69. -rwxr-xr-x 1 root root 158088 Jun 3 13:46 thumbnail*
  70. -rwxr-xr-x 1 root root 6312 Jun 3 13:46 tty*
  71. -rwxr-xr-x 1 root root 55904 Jun 4 11:46 useradd*
  72. -rwxr-xr-x 1 root root 585656 Jun 4 11:47 vi*
  73. -rwxr-xr-x 1 root root 6444 Jun 4 11:45 whoami*
  74. ./dev:
  75. total 8
  76. drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./
  77. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
  78. crw-r--r-- 1 root root 1, 9 Jun 3 13:43 urandom
  79. ./etc:
  80. total 208
  81. drwxr-xr-x 4 root root 4096 Jun 4 12:35 ./
  82. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
  83. -rw------- 1 root root 0 Jun 4 11:46 .pwd.lock
  84. -rw-r--r-- 1 root root 653 Jun 3 13:46 group
  85. -rw-r--r-- 1 root root 242 Jun 4 11:33 host.conf
  86. -rw-r--r-- 1 root root 857 Jun 4 12:04 hosts
  87. -rw-r--r-- 1 root root 1050 Jun 4 11:29 ld.so.cache
  88. -rw-r--r-- 1 root root 304 Jun 4 11:28 ld.so.conf
  89. -rw-r--r-- 1 root root 235 Jun 4 11:27 ld.so.conf~
  90. -rw-r--r-- 1 root root 88039 Jun 3 13:46 moduli
  91. -rw-r--r-- 1 root root 1342 Jun 4 11:34 nsswitch.conf
  92. drwxr-xr-x 2 root root 4096 Jun 4 12:02 pam.d/
  93. -rw-r--r-- 1 root root 28 Jun 4 12:00 pam_smb.conf
  94. -rw-r--r-- 1 root root 2520 Jun 4 11:57 passwd
  95. -rw-r--r-- 1 root root 7228 Jun 3 13:48 profile
  96. -rw-r--r-- 1 root root 1339 Jun 4 11:33 protocols
  97. -rw-r--r-- 1 root root 274 Jun 4 11:44 resolv.conf
  98. drwxr-xr-x 2 root root 4096 Jun 3 13:43 security/
  99. -rw-r----- 1 root root 1178 Jun 4 11:51 shadow
  100. -rw------- 1 root root 80 Jun 4 11:45 shadow-
  101. -rw-r----- 1 root root 1178 Jun 4 11:48 shadow.old
  102. -rw-r--r-- 1 root root 161 Jun 3 13:46 shells
  103. -rw-r--r-- 1 root root 1144 Jun 3 13:46 ssh_config
  104. -rw------- 1 root root 668 Jun 3 13:46 ssh_host_dsa_key
  105. -rw-r--r-- 1 root root 602 Jun 3 13:46 ssh_host_dsa_key.pub
  106. -rw------- 1 root root 527 Jun 3 13:46 ssh_host_key
  107. -rw-r--r-- 1 root root 331 Jun 3 13:46 ssh_host_key.pub
  108. -rw------- 1 root root 883 Jun 3 13:46 ssh_host_rsa_key
  109. -rw-r--r-- 1 root root 222 Jun 3 13:46 ssh_host_rsa_key.pub
  110. -rw-r--r-- 1 root root 2471 Jun 4 12:15 sshd_config
  111. ./etc/pam.d:
  112. total 24
  113. drwxr-xr-x 2 root root 4096 Jun 4 12:02 ./
  114. drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../
  115. lrwxrwxrwx 1 root root 4 Jun 4 12:02 other -> sshd
  116. -rw-r--r-- 1 root root 318 Jun 3 13:46 passwd
  117. -rw-r--r-- 1 root root 546 Jun 4 11:36 ssh
  118. -rw-r--r-- 1 root root 479 Jun 4 12:02 sshd
  119. -rw-r--r-- 1 root root 370 Jun 3 13:46 su
  120. ./etc/security:
  121. total 32
  122. drwxr-xr-x 2 root root 4096 Jun 3 13:43 ./
  123. drwxr-xr-x 4 root root 4096 Jun 4 12:35 ../
  124. -rw-r--r-- 1 root root 1971 Jun 3 13:46 access.conf
  125. -rw-r--r-- 1 root root 184 Jun 3 13:46 chroot.conf
  126. -rw-r--r-- 1 root root 2145 Jun 3 13:46 group.conf
  127. -rw-r--r-- 1 root root 1356 Jun 3 13:46 limits.conf
  128. -rw-r--r-- 1 root root 2858 Jun 3 13:46 pam_env.conf
  129. -rw-r--r-- 1 root root 2154 Jun 3 13:46 time.conf
  130. ./lib:
  131. total 8316
  132. drwxr-xr-x 3 root root 4096 Jun 4 12:13 ./
  133. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
  134. -rw-r--r-- 1 root root 1024 Jun 4 11:51 cracklib_dict.hwm
  135. -rw-r--r-- 1 root root 214324 Jun 4 11:51 cracklib_dict.pwd
  136. -rw-r--r-- 1 root root 11360 Jun 4 11:51 cracklib_dict.pwi
  137. -rwxr-xr-x 1 root root 342427 Jun 3 13:46 ld-linux.so.2*
  138. -rwxr-xr-x 1 root root 4061504 Jun 3 13:46 libc.so.6*
  139. lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so -> libcrack.so.2.7*
  140. lrwxrwxrwx 1 root root 15 Jun 4 12:11 libcrack.so.2 -> libcrack.so.2.7*
  141. -rwxr-xr-x 1 root root 33291 Jun 4 11:39 libcrack.so.2.7*
  142. -rwxr-xr-x 1 root root 60988 Jun 3 13:46 libcrypt.so.1*
  143. -rwxr-xr-x 1 root root 71846 Jun 3 13:46 libdl.so.2*
  144. -rwxr-xr-x 1 root root 27762 Jun 3 13:46 libhistory.so.4.0*
  145. lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.4 -> libncurses.so.4.2*
  146. -rwxr-xr-x 1 root root 503903 Jun 3 13:46 libncurses.so.4.2*
  147. lrwxrwxrwx 1 root root 17 Jun 4 12:12 libncurses.so.5 -> libncurses.so.5.0*
  148. -rwxr-xr-x 1 root root 549429 Jun 3 13:46 libncurses.so.5.0*
  149. -rwxr-xr-x 1 root root 369801 Jun 3 13:46 libnsl.so.1*
  150. -rwxr-xr-x 1 root root 142563 Jun 4 11:49 libnss_compat.so.1*
  151. -rwxr-xr-x 1 root root 215569 Jun 4 11:49 libnss_compat.so.2*
  152. -rwxr-xr-x 1 root root 61648 Jun 4 11:34 libnss_dns.so.1*
  153. -rwxr-xr-x 1 root root 63453 Jun 4 11:34 libnss_dns.so.2*
  154. -rwxr-xr-x 1 root root 63782 Jun 4 11:34 libnss_dns6.so.2*
  155. -rwxr-xr-x 1 root root 205715 Jun 3 13:46 libnss_files.so.1*
  156. -rwxr-xr-x 1 root root 235932 Jun 3 13:49 libnss_files.so.2*
  157. -rwxr-xr-x 1 root root 204383 Jun 4 11:33 libnss_nis.so.1*
  158. -rwxr-xr-x 1 root root 254023 Jun 4 11:33 libnss_nis.so.2*
  159. -rwxr-xr-x 1 root root 256465 Jun 4 11:33 libnss_nisplus.so.2*
  160. lrwxrwxrwx 1 root root 14 Jun 4 12:12 libpam.so.0 -> libpam.so.0.72*
  161. -rwxr-xr-x 1 root root 31449 Jun 3 13:46 libpam.so.0.72*
  162. lrwxrwxrwx 1 root root 19 Jun 4 12:12 libpam_misc.so.0 ->
  163. libpam_misc.so.0.72*
  164. -rwxr-xr-x 1 root root 8125 Jun 3 13:46 libpam_misc.so.0.72*
  165. lrwxrwxrwx 1 root root 15 Jun 4 12:12 libpamc.so.0 -> libpamc.so.0.72*
  166. -rwxr-xr-x 1 root root 10499 Jun 3 13:46 libpamc.so.0.72*
  167. -rwxr-xr-x 1 root root 176427 Jun 3 13:46 libreadline.so.4.0*
  168. -rwxr-xr-x 1 root root 44729 Jun 3 13:46 libutil.so.1*
  169. -rwxr-xr-x 1 root root 70254 Jun 3 13:46 libz.a*
  170. lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so -> libz.so.1.1.3*
  171. lrwxrwxrwx 1 root root 13 Jun 4 12:13 libz.so.1 -> libz.so.1.1.3*
  172. -rwxr-xr-x 1 root root 63312 Jun 3 13:46 libz.so.1.1.3*
  173. drwxr-xr-x 2 root root 4096 Jun 4 12:00 security/
  174. ./lib/security:
  175. total 668
  176. drwxr-xr-x 2 root root 4096 Jun 4 12:00 ./
  177. drwxr-xr-x 3 root root 4096 Jun 4 12:13 ../
  178. -rwxr-xr-x 1 root root 10067 Jun 3 13:46 pam_access.so*
  179. -rwxr-xr-x 1 root root 8300 Jun 3 13:46 pam_chroot.so*
  180. -rwxr-xr-x 1 root root 14397 Jun 3 13:46 pam_cracklib.so*
  181. -rwxr-xr-x 1 root root 5082 Jun 3 13:46 pam_deny.so*
  182. -rwxr-xr-x 1 root root 13153 Jun 3 13:46 pam_env.so*
  183. -rwxr-xr-x 1 root root 13371 Jun 3 13:46 pam_filter.so*
  184. -rwxr-xr-x 1 root root 7957 Jun 3 13:46 pam_ftp.so*
  185. -rwxr-xr-x 1 root root 12771 Jun 3 13:46 pam_group.so*
  186. -rwxr-xr-x 1 root root 10174 Jun 3 13:46 pam_issue.so*
  187. -rwxr-xr-x 1 root root 9774 Jun 3 13:46 pam_lastlog.so*
  188. -rwxr-xr-x 1 root root 13591 Jun 3 13:46 pam_limits.so*
  189. -rwxr-xr-x 1 root root 11268 Jun 3 13:46 pam_listfile.so*
  190. -rwxr-xr-x 1 root root 11182 Jun 3 13:46 pam_mail.so*
  191. -rwxr-xr-x 1 root root 5923 Jun 3 13:46 pam_nologin.so*
  192. -rwxr-xr-x 1 root root 5460 Jun 3 13:46 pam_permit.so*
  193. -rwxr-xr-x 1 root root 18226 Jun 3 13:46 pam_pwcheck.so*
  194. -rwxr-xr-x 1 root root 12590 Jun 3 13:46 pam_rhosts_auth.so*
  195. -rwxr-xr-x 1 root root 5551 Jun 3 13:46 pam_rootok.so*
  196. -rwxr-xr-x 1 root root 7239 Jun 3 13:46 pam_securetty.so*
  197. -rwxr-xr-x 1 root root 6551 Jun 3 13:46 pam_shells.so*
  198. -rwxr-xr-x 1 root root 55925 Jun 4 12:00 pam_smb_auth.so*
  199. -rwxr-xr-x 1 root root 12678 Jun 3 13:46 pam_stress.so*
  200. -rwxr-xr-x 1 root root 11170 Jun 3 13:46 pam_tally.so*
  201. -rwxr-xr-x 1 root root 11124 Jun 3 13:46 pam_time.so*
  202. -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix.so*
  203. -rwxr-xr-x 1 root root 45703 Jun 3 13:46 pam_unix2.so*
  204. -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_acct.so*
  205. -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_auth.so*
  206. -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_passwd.so*
  207. -rwxr-xr-x 1 root root 45386 Jun 3 13:46 pam_unix_session.so*
  208. -rwxr-xr-x 1 root root 9726 Jun 3 13:46 pam_userdb.so*
  209. -rwxr-xr-x 1 root root 6424 Jun 3 13:46 pam_warn.so*
  210. -rwxr-xr-x 1 root root 7460 Jun 3 13:46 pam_wheel.so*
  211. ./sbin:
  212. total 3132
  213. drwxr-xr-x 2 root root 4096 Jun 4 12:35 ./
  214. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
  215. -rwxr-xr-x 1 root root 178256 Jun 3 13:46 choptest*
  216. -rwxr-xr-x 1 root root 184032 Jun 3 13:46 cqtest*
  217. -rwxr-xr-x 1 root root 81096 Jun 3 13:46 dialtest*
  218. -rwxr-xr-x 1 root root 1142128 Jun 4 11:28 ldconfig*
  219. -rwxr-xr-x 1 root root 2868 Jun 3 13:46 lockname*
  220. -rwxr-xr-x 1 root root 3340 Jun 3 13:46 ondelay*
  221. -rwxr-xr-x 1 root root 376796 Jun 3 13:46 pagesend*
  222. -rwxr-xr-x 1 root root 13950 Jun 3 13:46 probemodem*
  223. -rwxr-xr-x 1 root root 9234 Jun 3 13:46 recvstats*
  224. -rwxr-xr-x 1 root root 64480 Jun 3 13:46 sftp-server*
  225. -rwxr-xr-x 1 root root 744412 Jun 3 13:46 sshd*
  226. -rwxr-xr-x 1 root root 30750 Jun 4 11:46 su*
  227. -rwxr-xr-x 1 root root 194632 Jun 3 13:46 tagtest*
  228. -rwxr-xr-x 1 root root 69892 Jun 3 13:46 tsitest*
  229. -rwxr-xr-x 1 root root 43792 Jun 3 13:46 typetest*
  230. ./tmp:
  231. total 8
  232. drwxr-xr-x 2 root root 4096 Jun 4 12:32 ./
  233. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
  234. ./usr:
  235. total 8
  236. drwxr-xr-x 2 root root 4096 Jun 4 12:16 ./
  237. drwxr-xr-x 9 root root 4096 Jun 5 10:05 ../
  238. lrwxrwxrwx 1 root root 7 Jun 4 12:14 bin -> ../bin//
  239. lrwxrwxrwx 1 root root 7 Jun 4 11:33 lib -> ../lib//
  240. lrwxrwxrwx 1 root root 8 Jun 4 12:13 sbin -> ../sbin//

B.7.3. Chroot environment for Apache

B.7.3.1. 介绍

The chroot utility is often used to jail a daemon in a restricted tree. You can use it to insulate services from one another, so that security issues in a software package do not jeopardize the whole server. When using the makejail script, setting up and updating the chrooted tree is much easier.

FIXME: Apache can also be chrooted using http://www.modsecurity.org which is available in libapache-mod-security (for Apache 1.x) and libapache2-mod-security (for Apache 2.x).

B.7.3.1.1. 许可证

This document is copyright 2002 Alexandre Ratti. It has been dual-licensed and released under the GPL version 2 (GNU General Public License) the GNU-FDL 1.2 (GNU Free Documentation Licence) and is included in this manual with his explicit permission. (from the http://www.gabuzomeu.net/alex/doc/apache/index-en.html)

B.7.3.2. 安装服务器

This procedure was tested on Debian GNU/Linux 3.0 (Woody) with makejail 0.0.4-1 (in Debian/testing).

  • root 登录, 创建 jail 目录:

    1. $ mkdir -p /var/chroot/apache
  • 创造一个用户和新组. 除了 chroot 了的 Apache 服务器用这个用户/组运行, 在此系统上不再做别的用途. 在这个例子中, 用户和组都叫 chrapach.

    1. $ adduser --home /var/chroot/apache --shell /bin/false \
    2. --no-create-home --system --group chrapach

    FIXME: 需要新的用户吗? (Apache 已经作为 apache 用户运行了)

  • 象通常一样在 Debian 上安装 Apache: apt-get install apache

  • Set up Apache (e.g. define your subdomains, etc.). In the /etc/apache/httpd.conf configuration file, set the Group and User options to chrapach. Restart Apache and make sure the server is working correctly. Now, stop the Apache daemon.

  • Install makejail (available in Debian/testing for now). You should also install wget and lynx as they will be used by makejail to test the chrooted server: apt-get install makejail wget lynx

  • 复制 Apache 示例配置文件到 /etc/makejail 目录:

    1. # cp /usr/share/doc/makejail/examples/apache.py /etc/makejail/
  • Edit /etc/makejail/apache.py. You need to change the chroot, users and groups options. To run this version of makejail, you can also add a packages option. See the http://www.floc.net/makejail/current/doc/. A sample is shown here:

    1. chroot="/var/chroot/apache"
    2. testCommandsInsideJail=["/usr/sbin/apachectl start"]
    3. processNames=["apache"]
    4. testCommandsOutsideJail=["wget -r --spider http://localhost/",
    5. "lynx --source https://localhost/"]
    6. preserve=["/var/www",
    7. "/var/log/apache",
    8. "/dev/log"]
    9. users=["chrapach"]
    10. groups=["chrapach"]
    11. packages=["apache", "apache-common"]
    12. userFiles=["/etc/password",
    13. "/etc/shadow"]
    14. groupFiles=["/etc/group",
    15. "/etc/gshadow"]
    16. forceCopy=["/etc/hosts",
    17. "/etc/mime.types"]

    FIXME: some options do not seem to work properly. For instance, /etc/shadow and /etc/gshadow are not copied, whereas /etc/password and /etc/group are fully copied instead of being filtered.

  • 创造 chroot 目录树: makejail /etc/makejail/apache.py

  • 如果 /etc/password/etc/group 被全部复制, 键入:

    1. $ grep chrapach /etc/passwd > /var/chroot/apache/etc/passwd
    2. $ grep chrapach /etc/group > /var/chroot/apache/etc/group

    用过滤出的拷贝覆盖它们.

  • 复制网站的网页和日志文件到 jail 中. 这些文件都不是自动复制的.(参阅 makejail 配置文件中的 preserve 项).

    1. # cp -Rp /var/www /var/chroot/apache/var
    2. # cp -Rp /var/log/apache/*.log /var/chroot/apache/var/log/apache
  • Edit the startup script for the system logging daemon so that it also listen to the /var/chroot/apache/dev/log socket. In /etc/default/syslogd, replace: SYSLOGD="" with SYSLOGD=" -a /var/chroot/apache/dev/log" and restart the daemon (/etc/init.d/sysklogd restart).

  • 编辑 Apache 的启动脚本(/etc/init.d/apache). 您可能需要适当地做对缺省的启动脚本做一些调整, 使其在 chroot 目录树中运行正常. 譬如:

    • 在文件顶部设置一新 CHRDIR 变量;

    • 编辑 start, stop, reload, 等部分;

    • 增加一行用于在 jail 中加载和卸载 /proc 文件系统

  1. <pre>#! /bin/bash
  2. #
  3. # apache Start the apache HTTP server.
  4. #
  5. CHRDIR=/var/chroot/apache
  6. NAME=apache
  7. PATH=/bin:/usr/bin:/sbin:/usr/sbin
  8. DAEMON=/usr/sbin/apache
  9. SUEXEC=/usr/lib/apache/suexec
  10. PIDFILE=/var/run/$NAME.pid
  11. CONF=/etc/apache/httpd.conf
  12. APACHECTL=/usr/sbin/apachectl
  13. trap "" 1
  14. export LANG=C
  15. export PATH
  16. test -f $DAEMON || exit 0
  17. test -f $APACHECTL || exit 0
  18. # ensure we don't leak environment vars into apachectl
  19. APACHECTL="env -i LANG=${LANG} PATH=${PATH} chroot $CHRDIR $APACHECTL"
  20. if egrep -q -i "^[[:space:]]*ServerType[[:space:]]+inet" $CONF
  21. then
  22. exit 0
  23. fi
  24. case "$1" in
  25. start)
  26. echo -n "Starting web server: $NAME"
  27. mount -t proc proc /var/chroot/apache/proc
  28. start-stop-daemon --start --pidfile $PIDFILE --exec $DAEMON \
  29. --chroot $CHRDIR
  30. ;;
  31. stop)
  32. echo -n "Stopping web server: $NAME"
  33. start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo
  34. umount /var/chroot/apache/proc
  35. ;;
  36. reload)
  37. echo -n "Reloading $NAME configuration"
  38. start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" \
  39. --signal USR1 --startas $DAEMON --chroot $CHRDIR
  40. ;;
  41. reload-modules)
  42. echo -n "Reloading $NAME modules"
  43. start-stop-daemon --stop --pidfile "$CHRDIR/$PIDFILE" --oknodo \
  44. --retry 30
  45. start-stop-daemon --start --pidfile $PIDFILE \
  46. --exec $DAEMON --chroot $CHRDIR
  47. ;;
  48. restart)
  49. $0 reload-modules
  50. exit $?
  51. ;;
  52. force-reload)
  53. $0 reload-modules
  54. exit $?
  55. ;;
  56. *)
  57. echo "Usage: /etc/init.d/$NAME {start|stop|reload|reload-modules|force-reload|restart}"
  58. exit 1
  59. ;;
  60. esac
  61. if [ $? == 0 ]; then
  62. echo .
  63. exit 0
  64. else
  65. echo failed
  66. exit 1
  67. fi
  68. </pre>
  69. *FIXME*: 第一个 Apache 进程应当以其它用户而不是 root 用户运行的(即, add --chuid chrapach:chrapach)? Cons: chrapache将需要对日志有写权限, 这非常不便.
  • /etc/logrotate.d/apache 中用 /var/chroot/apache/var/log/apache/*.log 替换 /var/log/apache/*.log

  • Start Apache (/etc/init.d/apache start) and check what is it reported in the jail log (/var/chroot/apache/var/log/apache/error.log). If your setup is more complex, (e.g. if you also use PHP and MySQL), files will probably be missing. if some files are not copied automatically by makejail, you can list them in the forceCopy (to copy files directly) or packages (to copy full packages and their dependencies) option the /etc/makejail/apache.py configuration file.

  • 键入 ps aux | grep apache 以确保 Apache 正在运行. 您应当看到如下类似内容:

    1. root 180 0.0 1.1 2936 1436 ? S 04:03 0:00 /usr/sbin/apache
    2. chrapach 189 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache
    3. chrapach 190 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache
    4. chrapach 191 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache
    5. chrapach 192 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache
    6. chrapach 193 0.0 1.1 2960 1456 ? S 04:03 0:00 /usr/sbin/apache
  • Make sure the Apache processes are running chrooted by looking in the /proc filesystem: ls -la /proc/`process_number`/root/. where process_number is one of the PID numbers listed above (2nd column; 189 for instance). The entries for a restricted tree should be listed:

    1. drwxr-sr-x 10 root staff 240 Dec 2 16:06 .
    2. drwxrwsr-x 4 root staff 72 Dec 2 08:07 ..
    3. drwxr-xr-x 2 root root 144 Dec 2 16:05 bin
    4. drwxr-xr-x 2 root root 120 Dec 3 04:03 dev
    5. drwxr-xr-x 5 root root 408 Dec 3 04:03 etc
    6. drwxr-xr-x 2 root root 800 Dec 2 16:06 lib
    7. dr-xr-xr-x 43 root root 0 Dec 3 05:03 proc
    8. drwxr-xr-x 2 root root 48 Dec 2 16:06 sbin
    9. drwxr-xr-x 6 root root 144 Dec 2 16:04 usr
    10. drwxr-xr-x 7 root root 168 Dec 2 16:06 var

    键入: ls -la /proc/`cat /var/chroot/apache/var/run/apache.pid`/root/. 自动完成整个测试

    FIXME: 增加其它的测试, 以确保 jail 被关闭了?

我喜欢这样的原因是因为设定 jail 不是很困难, 并且服务器可以通过下边两行更新:

  1. apt-get update && apt-get install apache
  2. makejail /etc/makejail/apache.py

B.7.4. 其它

If you are looking for more information you can consider these sources of information in which the information presented is based: http://www.floc.net/makejail/, this program was written by Alain Tesio


[80] You can use the debug option to have it send the progress of the module to the authpriv.notice facility

[81] You can create a very limited bash environment with the following python definition for makejail, just create the directory /var/chroots/users/foo and a file with the following contents and call it bash.py:

  1. chroot="/var/chroots/users/foo"
  2. cleanJailFirst=1
  3. testCommandsInsideJail=["bash ls"]

And then run makejail bash.py to create the user environment at /var/chroots/users/foo. To test the environment run:

  1. # chroot /var/chroots/users/foo/ ls
  2. bin dev etc lib proc sbin usr

[82] In some occasions you might need the /dev/ptmx and /dev/pty* devices and the /dev/pts/ subdirectory. Running MAKEDEV in the /dev directory of the chrooted environment should be sufficient to create them if they do not exist. If you are using kernels (version 2.6) which dynamically create device files you will need to create the /dev/pts/ files yourself and grant them the proper privileges.

[83] If you are using a kernel that implements Mandatory Access Control (RSBAC/SElinux) you can avoid changing this configuration just by granting the sshd user privileges to make the chroot() system call.

[84] Notice that there are no SETUID files. This makes it more difficult for remote users to escape the chroot environment. However, it also prevents users from changing their passwords, since the passwd program cannot modify the files /etc/passwd or /etc/shadow.