chroot

tcs · 15. März 2005

Dieses kleine Script legt neue User an, nach folgendem Schema (Beispiel Username tcs):

User tcs, Gruppe tcs
Homedir (echtes System): /chroot/tcs/home/tcs
Homedir (chroot): /home/tcs
Shell (echtes System): /usr/local/sbin/chrlogin
Shell (chroot): /bin/bash

Der eingeloggte user sieht /chroot/tcs als / (daher chroot), er kann also außerhalb seines Verzeichnisses NICHTS sehen.
chrlogin ist ein kleines Programm das beim login den chroot in die gebaute Umgebung erledigt.
Sourcecode gibt's hier: http://www.weidner.ch/download.html
Kompilieren/konfigurieren:
Ich habe /chroot als Basis für die "Gefängnisse" ausgesuchtm daher habe ich in Zeile 45 folgendes eingetragen:

Code

#define CHROOT_LEVEL 1

Die Konfiguration ist ausführlich im File erklärt.
Nun zum Script:

Perl

#!/usr/bin/perl


$chroot_dir="/chroot";
$chroot_dir_escaped="\\/chroot";


print "Please enter the name of user you want to create:\n";
$username=<STDIN>;
chomp($username);


print "Checking if username ($username) exists in /etc/group...\n";
$foundgroup=system("grep -i $username /etc/group");
if ($foundgroup==0) {
    print "Found one or more entries for $username, please choose another name!\n";
    exit 0;
}


print "Checking if username ($username) exists in /etc/passwd...\n";
$foundgroup=system("grep -i $username /etc/passwd");
if ($foundgroup==0) {
    print "Found one or more entries for $username, please choose another name!\n";
    exit 0;
}


print "I don't have a user called $username yet, we can do the work :-)\n";




print "Creating directory $chrootdir/$username";
system("mkdir $chroot_dir/$username");
print ".";
print "done\n";
print "Creating directory structure for $username";
system("mkdir $chroot_dir/$username/bin");
print ".";
system("mkdir $chroot_dir/$username/etc");
print ".";
system("mkdir $chroot_dir/$username/home");
print ".";
system("mkdir $chroot_dir/$username/home/$username");
print ".";
system("mkdir $chroot_dir/$username/lib");
print ".";
system("mkdir $chroot_dir/$username/lib/tls");
print ".";
system("mkdir $chroot_dir/$username/dev");
print ".";
system("mkdir $chroot_dir/$username/usr");
print ".";
system("mkdir $chroot_dir/$username/usr/bin");
print ".";
system("mkdir $chroot_dir/$username/var");
print ".";
system("mkdir $chroot_dir/$username/usr/lib");
print ".";
system("mkdir $chroot_dir/$username/var/tmp");
print ".";
system("mkdir $chroot_dir/$username/usr/lib/i386");
print ".";
system("mkdir $chroot_dir/$username/usr/lib/i386/cmov");
print ".";
system("cp -Rp /tmp $chroot_dir/$username/");
print "done\n";


print "Creating new user $username";
system("groupadd $username");
print ".";
system("useradd -g $username -d $chroot_dir/$username/home/$username -m -s /usr/local/sbin/chrlogin $username");
print ".";
system("chown $username:$username $chroot_dir/$username/home/$username");
print ".";
system("chown $username:$username $chroot_dir/$username/tmp");
print ".";
system("chown $username:$username $chroot_dir/$username/var/tmp");
print "done\n";


print "Copying libraries to the just created environment";


system("cp /lib/ld-linux.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libacl.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libattr.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libcom_err.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libext2fs.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libncurses.so.5 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libnsl.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libnss_compat.so.2 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/libutil.so.1 $chroot_dir/$username/lib/");
print ".";
system("cp /lib/tls/libc.so.6 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libcrypt.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libdl.so.2 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libnsl.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libpthread.so.0 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libresolv.so.2 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/librt.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /lib/tls/libutil.so.1 $chroot_dir/$username/lib/tls/");
print ".";
system("cp /usr/lib/libcrypto.so.0.9.6 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/libglib-2.0.so.0 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/libgmodule-2.0.so.0 $chroot_dir/$username/lib/");
print ".";
system("cp /usr/lib/libgpm.so.1 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/libz.so.1 $chroot_dir/$username/usr/lib/");
print ".";
system("cp /usr/lib/i686/cmov/libcrypto.so.0.9.7 $chroot_dir/$username/usr/lib/i386/cmov/");
print "done\n";


print "Copying binaries to the just created environment";


system("cp /bin/bash $chroot_dir/$username/bin/");
print ".";
system("cp /bin/cat $chroot_dir/$username/bin/");
print ".";
system("cp /bin/chmod $chroot_dir/$username/bin/");
print ".";
system("cp /bin/chown $chroot_dir/$username/bin/");
print ".";
system("cp /bin/cp $chroot_dir/$username/bin/");
print ".";
system("cp /bin/ln $chroot_dir/$username/bin/");
print ".";
system("cp /bin/ls $chroot_dir/$username/bin/");
print ".";
system("cp /bin/mkdir $chroot_dir/$username/bin/");
print ".";
system("cp /bin/more $chroot_dir/$username/bin/");
print ".";
system("cp /bin/mv $chroot_dir/$username/bin/");
print ".";
system("cp /bin/rm $chroot_dir/$username/bin/");
print ".";
system("cp /bin/rmdir $chroot_dir/$username/bin/");
print ".";
system("cp /bin/sh $chroot_dir/$username/bin/");
print ".";
system("cp /bin/touch $chroot_dir/$username/bin/");
print ".";
system("cp /usr/bin/dircolors $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/groups $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/id $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/less $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/mc $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/mcedit $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/scp $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/vi $chroot_dir/$username/usr/bin/");
print ".";
system("cp /usr/bin/vim $chroot_dir/$username/usr/bin/");
print "done\n";


print "Setting up new environment";


system("cp /etc/localtime $chroot_dir/$username/etc/");
print ".";
system("cp /etc/nsswitch.conf $chroot_dir/$username/etc/");
print ".";
system("cp -R /etc/terminfo $chroot_dir/$username/etc/");
print ".";
system("mknod $chroot_dir/$username/dev/zero c 13 12");
print ".";
system("mknod $chroot_dir/$username/dev/null c 1 3");
system("chmod 0666 $chroot_dir/$username/dev/null");
print "done\n";


print "Creating passwordfile in new environment...";
system("cat /etc/passwd | grep '$username' >> $chroot_dir/$username/etc/passwd");
system("cat /etc/group | grep '$username' >> $chroot_dir/$username/etc/group");
print "done\n";


print "Setting up password for $username:\n";
`passwd $username`;


print "Fixing homedir and loginshell in chroot environment...";
sleep(1);
system("cat $chroot_dir/$username/etc/passwd | perl -W -p -e 's/$chroot_dir_escaped\\/$username//g' | perl -W -p -e 's/\\/usr\\/local\\/sbin\\/chrlogin/\\/bin\\/bash/g' > $chroot_dir/$username/etc/passwd");
print "done\n";


print "Work done, user $username is ready for use :-)\n";

Alles anzeigen

Die Bibliotheken sollten für den normalen "Hausgebrauch" ausreichend sein, sollte man weitere Programme benötigen findet man mit

Code

ldd /bin/program

heraus welche libs benötigt werden.

Ansonsten ist das Script halbwegs verständlich hoffe ich...

Cheers

tcs

Quellen:
Hauptsächlich das Buch Apache Webserver 2.0 von Sebastian Wolfgarten
Addison-Wesley
ISBN: 3-8273-2039-9

In Kapitel 9.6 wird chroot für lokale Benutzer vorgestellt, hier habe ich mir die Ideen und einige Teile des Scripts geholt.

chroot

Jetzt mitmachen!

Teilen