Dieses kleine Script legt neue User an, nach folgendem Schema (Beispiel Username tcs):
User tcs, Gruppe tcs
Homedir (echtes System): /chroot/tcs/home/tcs
Homedir (chroot): /home/tcs
Shell (echtes System): /usr/local/sbin/chrlogin
Shell (chroot): /bin/bash
Der eingeloggte user sieht /chroot/tcs als / (daher chroot), er kann also außerhalb seines Verzeichnisses NICHTS sehen.
chrlogin ist ein kleines Programm das beim login den chroot in die gebaute Umgebung erledigt.
Sourcecode gibt's hier: http://www.weidner.ch/download.html
Kompilieren/konfigurieren:
Ich habe /chroot als Basis für die "Gefängnisse" ausgesuchtm daher habe ich in Zeile 45 folgendes eingetragen:
Die Konfiguration ist ausführlich im File erklärt.
Nun zum Script:
#!/usr/bin/perl
$chroot_dir="/chroot";
$chroot_dir_escaped="\\/chroot";
print "Please enter the name of user you want to create:\n";
$username=<STDIN>;
chomp($username);
print "Checking if username ($username) exists in /etc/group...\n";
$foundgroup=system("grep -i $username /etc/group");
if ($foundgroup==0) {
print "Found one or more entries for $username, please choose another name!\n";
exit 0;
}
print "Checking if username ($username) exists in /etc/passwd...\n";
$foundgroup=system("grep -i $username /etc/passwd");
if ($foundgroup==0) {
print "Found one or more entries for $username, please choose another name!\n";
exit 0;
}
print "I don't have a user called $username yet, we can do the work :-)\n";
print "Creating directory $chrootdir/$username";
system("mkdir $chroot_dir/$username");
print ".";
print "done\n";
print "Creating directory structure for $username";
system("mkdir $chroot_dir/$username/bin");
print ".";
system("mkdir $chroot_dir/$username/etc");
print ".";
system("mkdir $chroot_dir/$username/home");
print ".";
system("mkdir $chroot_dir/$username/home/$username");
print ".";
system("mkdir $chroot_dir/$username/lib");
print ".";
system("mkdir $chroot_dir/$username/lib/tls");
print ".";
system("mkdir $chroot_dir/$username/dev");
print ".";
system("mkdir $chroot_dir/$username/usr");
print ".";
system("mkdir $chroot_dir/$username/usr/bin");
print ".";
system("mkdir $chroot_dir/$username/var");
print ".";
system("mkdir $chroot_dir/$username/usr/lib");
print ".";
system("mkdir $chroot_dir/$username/var/tmp");
print ".";
system("mkdir $chroot_dir/$username/usr/lib/i386");
print ".";
system("mkdir $chroot_dir/$username/usr/lib/i386/cmov");
print ".";
system("cp -Rp /tmp $chroot_dir/$username/");
print "done\n";
print "Creating new user $username";
system("groupadd $username");
print ".";
system("useradd -g $username -d $chroot_dir/$username/home/$username -m -s /usr/local/sbin/chrlogin $username");
print ".";
system("chown $username:$username $chroot_dir/$username/home/$username");
print ".";
system("chown $username:$username $chroot_dir/$username/tmp");
print ".";
system("chown $username:$username $chroot_dir/$username/var/tmp");
print "done\n";
print "Copying libraries to the just created environment";
system("cp /lib/ld-linux.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libacl.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libattr.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libcom_err.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libext2fs.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libncurses.so.5 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libnsl.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libnss_compat.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libutil.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/tls/libc.so.6 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libcrypt.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libdl.so.2 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libnsl.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libpthread.so.0 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libresolv.so.2 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/librt.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libutil.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /usr/lib/libcrypto.so.0.9.6 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/libglib-2.0.so.0 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/libgmodule-2.0.so.0 $chroot_dir/$username/lib/");
print ".";
system("cp /usr/lib/libgpm.so.1 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/libz.so.1 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/i686/cmov/libcrypto.so.0.9.7 $chroot_dir/$username/usr/lib/i386/cmov/");
print "done\n";
print "Copying binaries to the just created environment";
system("cp /bin/bash $chroot_dir/$username/bin/");
print ".";
system("cp /bin/cat $chroot_dir/$username/bin/");
print ".";
system("cp /bin/chmod $chroot_dir/$username/bin/");
print ".";
system("cp /bin/chown $chroot_dir/$username/bin/");
print ".";
system("cp /bin/cp $chroot_dir/$username/bin/");
print ".";
system("cp /bin/ln $chroot_dir/$username/bin/");
print ".";
system("cp /bin/ls $chroot_dir/$username/bin/");
print ".";
system("cp /bin/mkdir $chroot_dir/$username/bin/");
print ".";
system("cp /bin/more $chroot_dir/$username/bin/");
print ".";
system("cp /bin/mv $chroot_dir/$username/bin/");
print ".";
system("cp /bin/rm $chroot_dir/$username/bin/");
print ".";
system("cp /bin/rmdir $chroot_dir/$username/bin/");
print ".";
system("cp /bin/sh $chroot_dir/$username/bin/");
print ".";
system("cp /bin/touch $chroot_dir/$username/bin/");
print ".";
system("cp /usr/bin/dircolors $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/groups $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/id $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/less $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/mc $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/mcedit $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/scp $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/vi $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/vim $chroot_dir/$username/usr/bin/");
print "done\n";
print "Setting up new environment";
system("cp /etc/localtime $chroot_dir/$username/etc/");
print ".";
system("cp /etc/nsswitch.conf $chroot_dir/$username/etc/");
print ".";
system("cp -R /etc/terminfo $chroot_dir/$username/etc/");
print ".";
system("mknod $chroot_dir/$username/dev/zero c 13 12");
print ".";
system("mknod $chroot_dir/$username/dev/null c 1 3");
system("chmod 0666 $chroot_dir/$username/dev/null");
print "done\n";
print "Creating passwordfile in new environment...";
system("cat /etc/passwd | grep '$username' >> $chroot_dir/$username/etc/passwd");
system("cat /etc/group | grep '$username' >> $chroot_dir/$username/etc/group");
print "done\n";
print "Setting up password for $username:\n";
`passwd $username`;
print "Fixing homedir and loginshell in chroot environment...";
sleep(1);
system("cat $chroot_dir/$username/etc/passwd | perl -W -p -e 's/$chroot_dir_escaped\\/$username//g' | perl -W -p -e 's/\\/usr\\/local\\/sbin\\/chrlogin/\\/bin\\/bash/g' > $chroot_dir/$username/etc/passwd");
print "done\n";
print "Work done, user $username is ready for use :-)\n";
Alles anzeigen
Die Bibliotheken sollten für den normalen "Hausgebrauch" ausreichend sein, sollte man weitere Programme benötigen findet man mit
heraus welche libs benötigt werden.
Ansonsten ist das Script halbwegs verständlich hoffe ich...
Cheers
tcs
Quellen:
Hauptsächlich das Buch Apache Webserver 2.0 von Sebastian Wolfgarten
Addison-Wesley
ISBN: 3-8273-2039-9
In Kapitel 9.6 wird chroot für lokale Benutzer vorgestellt, hier habe ich mir die Ideen und einige Teile des Scripts geholt.