From de51990089d20d318cee8910fe02a07371daf9eb Mon Sep 17 00:00:00 2001 From: DeadFire Date: Tue, 26 Nov 2013 09:57:19 +0800 Subject: [PATCH 1/4] =?UTF-8?q?20131126=20=E5=86=85=E6=A0=B8=E4=B8=93?= =?UTF-8?q?=E9=A2=98=20Part=2018=20=E5=88=A0=E9=99=A4=E5=A4=9A=E4=BD=99?= =?UTF-8?q?=E9=93=BE=E6=8E=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...inux Kernel--Configuring the Kernel Part 18.md | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/sources/The Linux Kernel/22 The Linux Kernel--Configuring the Kernel Part 18.md b/sources/The Linux Kernel/22 The Linux Kernel--Configuring the Kernel Part 18.md index 6f82cac06c..d3b99e04b0 100644 --- a/sources/The Linux Kernel/22 The Linux Kernel--Configuring the Kernel Part 18.md +++ b/sources/The Linux Kernel/22 The Linux Kernel--Configuring the Kernel Part 18.md @@ -109,17 +109,4 @@ via: http://www.linux.org/threads/the-linux-kernel-configuring-the-kernel-part-1 译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID) -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 - -[1]: -[2]: -[3]: -[4]: -[5]: -[6]: -[7]: -[8]: -[9]: -[10]: -[11]: -[12]: \ No newline at end of file +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 \ No newline at end of file From 20b30e68d63a1c2cd5794b6fc1781bce9a525003 Mon Sep 17 00:00:00 2001 From: DeadFire Date: Tue, 26 Nov 2013 10:29:02 +0800 Subject: [PATCH 2/4] =?UTF-8?q?20131126-4=20=E9=80=89=E9=A2=98=20=E6=8A=80?= =?UTF-8?q?=E6=9C=AF=E6=96=87=E7=AB=A0=E4=B8=80=E7=AF=87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...p a jailed shell with jailkit on ubuntu.md | 219 ++++++++++++++++++ 1 file changed, 219 insertions(+) create mode 100644 sources/Setup a jailed shell with jailkit on ubuntu.md diff --git a/sources/Setup a jailed shell with jailkit on ubuntu.md b/sources/Setup a jailed shell with jailkit on ubuntu.md new file mode 100644 index 0000000000..181caa20e1 --- /dev/null +++ b/sources/Setup a jailed shell with jailkit on ubuntu.md @@ -0,0 +1,219 @@ +Setup a jailed shell with jailkit on ubuntu +================================================================================ +### Jailed Shell and Jailkit ### + +A jailed shell is a kind of limited shell that provides the user with a very real looking shell but does not allow him to mess with/view/modify any parts of the real file systems. The file system inside the shell is different from the actual file system of the underlying system. Such a functionality is achived through chroot and finds many kinds of applications. For example to setup a linux shell for users to just "play with". Or run some program with full functionality but in a limited environment and so on. + +In this tutorial we are going to talk about setting up a jailed shell quickly with jailkit on ubuntu. Jailkit is helper program that allows to quickly setup a jailed shell, jail users inside it, and configure programs to run from the jailed environment. + +Jailkit can be downloaded from [http://olivier.sessink.nl/jailkit/][1] + +We have already discussed about installing jailkit on ubuntu so check out that post. + +### Setup jailed shell ### + +#### 1. Setup the jail environment #### + +There needs to be a directory where the whole jail environment will be setup. Lets do it in /opt/jail. This can be whatever. + + $ sudo mkdir /opt/jail + +Root should own this directory. So chown it out. + + $ sudo chown root:root /opt/jail + +#### 2. Setup the programs to make available inside the jail #### + +All the programs that need to be available in the jail need to be copied inside it using the jk_init command. + +Example + + $ sudo jk_init -v /jail basicshell + $ sudo jk_init -v /jail editors + $ sudo jk_init -v /jail extendedshell + $ sudo jk_init -v /jail netutils + $ sudo jk_init -v /jail ssh + $ sudo jk_init -v /jail sftp + $ sudo jk_init -v /jail jk_lsh + +Or at one go + + $ sudo jk_init -v /opt/jail netutils basicshell jk_lsh openvpn ssh sftp + +The names like basicshell , editors , netutils are groups that contain multiple programs. Each group is a set of executable files, libraries etc to be copied into the shell. For example, the section **basicshell** provides many programs like bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep etc in the jail. + +For a complete list of sections that can be setup, have a look at /etc/jailkit/jk_init.ini. + + jk_lsh (Jailkit limited shell) - is an important section, and must be added. + +#### 3. Create the user who will be jailed #### + +Need a user to put inside the jail. Lets create one + + $ sudo adduser robber + Adding user `robber' ... + Adding new group `robber' (1005) ... + Adding new user `robber' (1006) with group `robber' ... + Creating home directory `/home/robber' ... + Copying files from `/etc/skel' ... + Enter new UNIX password: + Retype new UNIX password: + passwd: password updated successfully + Changing the user information for robber + Enter the new value, or press ENTER for the default + Full Name []: + Room Number []: + Work Phone []: + Home Phone []: + Other []: + Is the information correct? [Y/n] y + +Note that this is a normal user who is created in the actual filesystem and not inside the jail. +In the next step this user shall be imprisoned inside the jail. + +At this point if you take a look at /etc/passwd you get to see an entry at the end that looks like this + + robber:x:1006:1005:,,,:/home/robber:/bin/bash + +This is our new user and the last part /bin/bash indicates that the user has a normal shell access on the system, if he logs in. + +#### 4. Jail the user #### + +Now its time to put the user inside the jail. + + $ sudo jk_jailuser -m -j /opt/jail/ robber + +By doing this the user robber has now been jailed. + +Now if you take a look at /etc/passwd the last entry would look like this + + robber:x:1006:1005:,,,:/opt/jail/./home/robber:/usr/sbin/jk_chrootsh + +Note that the last 2 parts that indicate the home user and the shell type have changed. The home directory of the user is now inside the jail environment at /opt/jail. The shell of the user is now a special program called jk_chrootsh that will provide the jailed shell. + +It is this particular shell called jk_chrootsh that takes the user inside the jail, everytime he logs onto the system. + +The jail setup by now is nearly done. But if you try to connect to id from ssh, it will fail like this : + + $ ssh robber@localhost + robber@localhost's password: + Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86_64) + + * Documentation: https://help.ubuntu.com/ + + 13 packages can be updated. + 0 updates are security updates. + + *** /dev/sda7 will be checked for errors at next reboot *** + *** /dev/sda8 will be checked for errors at next reboot *** + + Last login: Sat Jun 23 12:45:13 2012 from localhost + Connection to localhost closed. + $ + +The connection shall close. This happens because the user actually has a limited shell. + +#### 5. Give bash shell to user inside the jail #### + +The next important thing to do is to give the user a proper bash shell, but inside the jail. +Open the following file + + /opt/jail/etc/passwd + +Its the password file inside the jail. It would look somewhat like this + + root:x:0:0:root:/root:/bin/bash + robber:x:1006:1005:,,,:/home/robber:/usr/sbin/jk_lsh + +Change the /usr/sbin/jk_lsh to /bin/bash + + root:x:0:0:root:/root:/bin/bash + robber:x:1006:1005:,,,:/home/robber:/bin/bash + +Save the file and exit. + +#### 6. Login to the jail #### + +So now its time to login into the jail again + + $ ssh robber@localhost + robber@localhost's password: + Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86_64) + + * Documentation: https://help.ubuntu.com/ + + 13 packages can be updated. + 0 updates are security updates. + + *** /dev/sda7 will be checked for errors at next reboot *** + *** /dev/sda8 will be checked for errors at next reboot *** + + Last login: Sat Jun 23 12:46:01 2012 from localhost + bash: groups: command not found + I have no name!@desktop:~$ + +The jail says 'I have no name!' , ha ha. Now we have a fully functional bash shell but inside the jail. + +Now check the environment by moving around. The root / of the jailed environment is /opt/jail of the real file system. But its only we who knows that, not the jailed user. + + I have no name!@desktop:~$ cd / + I have no name!@desktop:/$ ls + bin dev etc home lib lib64 run usr var + I have no name!@desktop:/$ + +Also only the commands that were copied via jk_cp sections will be available in this jail. + +If the login fails, then check /var/log/auth.log for error messages. + +Now try running some network command like wget or anything similar. + + $ wget http://www.google.com/ + +If you get an error like this : + + $ wget http://www.google.com/ + --2012-06-23 12:56:43-- http://www.google.com/ + Resolving www.google.com (www.google.com)... failed: Name or service not known. + wget: unable to resolve host address `www.google.com' + +Fix it by running the following 2 commands : + + $ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_files.so.2 + $ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_dns.so.2 + +The exact location of the libnss_files.so and libnss_dns.so can vary so check. + +### Running programs or services in the jail ### + +Now the setup is complete. Jails are useful to run programs or services in a restricted/secure environments. To launch a program or daemon inside the jail use the **jk_chrootlaunch** command. + + $ sudo jk_chrootlaunch -j /opt/jail -u robber -x /some/command/in/jail + +The jk_chrootlaunch utility can be used to launch a particular process inside the jail environment with privileges of the specified user. If the daemon fails to start, check /var/log/syslog for error messages. + +To run the program inside the jail, the program must first be fully copied inside the jail using the jk_cp command. + + jk_cp - a utility to copy files including permissions and libraries into a jail + +For further reading about various jailkit commands, check the documentation at [http://olivier.sessink.nl/jailkit/][1] + +-------------------------------------------------------------------------------- + +via: http://www.binarytides.com/setup-jailed-shell-jailkit-ubuntu/ + +译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 + +[1]:http://olivier.sessink.nl/jailkit/ +[2]: +[3]: +[4]: +[5]: +[6]: +[7]: +[8]: +[9]: +[10]: +[11]: +[12]: \ No newline at end of file From 9ec64658860fa9c52e8862ba4b46de4d1f42c178 Mon Sep 17 00:00:00 2001 From: tinyeyeser Date: Tue, 26 Nov 2013 10:45:48 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=E5=B7=B2=E7=BF=BB=E8=AF=91=20by=E5=B0=8F?= =?UTF-8?q?=E7=9C=BC=E5=84=BF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: tinyeyeser --- ...Them Backdoor Access In Linux, Says MEP.md | 42 ------------------- ...Them Backdoor Access In Linux, Says MEP.md | 40 ++++++++++++++++++ 2 files changed, 40 insertions(+), 42 deletions(-) delete mode 100644 sources/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md create mode 100644 translated/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md diff --git a/sources/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md b/sources/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md deleted file mode 100644 index b25e08af30..0000000000 --- a/sources/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md +++ /dev/null @@ -1,42 +0,0 @@ -翻译中 by小眼儿 - -NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP -================================================================================ -![](http://www.omgubuntu.co.uk/wp-content/uploads/2011/01/DSC01782.jpg) - -*Linus and OMG! Back in 2011* - -The United States’ National Security Agency ([**NSA**][1]) are alleged to have asked the creator of Linux, Linus Torvalds, to create ‘backdoors’ into GNU/Linux through which they could access. - -Far from being a rumour, word of the approach comes via Linus’ father, Nils Torvalds. - -As a Member of the European Parliament (MEP), Nils was present at recent committee inquiry held on the “Mass Surveillance of EU Citizens”. Here, representatives from a number of companies named in documents leaked by NSA whistleblower Edward Snowden were questioned about their own (alleged) involvement. - -Following a question put to a Microsoft spokeswoman by Pirate Party MEP Christian Engström on whether the company willingly include “backdoors” for the NSA in their system, Nils Torvalds MEP [said][2]: - -> When my oldest son [Linus Torvalds] was asked the same question: “Has he been approached by the NSA about backdoors?” he said “No”, but at the same time he nodded. Then he was sort of in the legal free. He had given the right answer …everybody understood that the NSA had approached him. - -If that sounds familiar to you then you might have [seen the snippet on YouTube][3]. Linus went on to insist that he was joking, and that [the NSA had not approached him][4]. - -**But, speaking at November 11th’s inquiry, his father seems to think otherwise. ** - -Following on from allegations that Google, [Yahoo!][5], Facebook [and, indeed, Microsoft][6] are among the many companies wilfully cooperating with the agency to provide “backdoor” access to their systems, this revelation is far from earth-shattering. In fact, is makes sense in the grand scheme of things. After all, why wouldn’t the NSA ask Linus to do this? - -While Nils doesn’t explain how Linus responded – I’d like to think it involved two fingers – we can be sure that it, at the very least, involved an explanation of how open source prevents something like that being possible. - -If any holes were left around for the NSA’s overly-long tentacles to creep into, you can bet your bottom dollar that they’d have been found, exposed and rooted out long before now. - --------------------------------------------------------------------------------- - -via: http://www.omgubuntu.co.uk/2013/11/nsa-ask-linus-torvalds-include-backdoors-linux-father-says-yes - -译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 - -[1]:http://www.nsa.gov/ -[2]:http://youtu.be/EkpIddQ8m2s?t=3h09m06s -[3]:http://www.youtube.com/watch?v=7gRsgkdfYJ8 -[4]:http://mashable.com/2013/09/19/linus-torvalds-backdoor-linux/ -[5]:http://www.telegraph.co.uk/technology/internet-security/10459081/Yahoo-to-encrypt-internal-traffic-following-NSA-revelations.html -[6]:http://www.bbc.co.uk/news/technology-23285642 diff --git a/translated/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md b/translated/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md new file mode 100644 index 0000000000..a9ef7b68e4 --- /dev/null +++ b/translated/NSA Asked Linus Torvalds To Give Them Backdoor Access In Linux, Says MEP.md @@ -0,0 +1,40 @@ +欧洲议会:NSA曾要求Linus Torvalds给予他们在Linux中植入后门的权限 +================================================================================ +![](http://www.omgubuntu.co.uk/wp-content/uploads/2011/01/DSC01782.jpg) + +*照片中为大神Linus(左)和Benjamin Humphrey(译者注:该小伙儿为本文原文出处‘OMG!Ubuntu!’的联合创始人之一,现已离开OMGUbuntu)!照片摄于2011年* + +美国国家安全局([**NSA**][1])宣称,他们曾经要求Linux的创始人,Linus Torvalds,在GNU/Linux中建立一个他们可以访问的“后门”。 + +这绝非谣言,Linus的父亲,Nils Torvalds如此说道。 + +作为欧洲议会(MEP)的成员之一,Nils出席了最近关于“欧盟公民监视问题”的委员会质询会议。根据爱德华·斯诺登泄露出的一些NSA文档,委员会对文档中列出的一些公司代表就所谓的“合作”进行了质询。 + +同属欧洲议会成员的瑞典盗版党主席Christian Engström就质问微软的发言人,其公司是否曾主动为NSA在他们的系统中植入过“后门”,(译者注:盗版党是一个以废除专利制度、维护公民隐私为宗旨的民间自发政党,最先在瑞典出现,传送门→[盗版党百度百科](http://baike.baidu.com/view/1104760.htm))。之后,Nils Torvalds[说道][2]: + +> 我的长子[Linus Torvalds]也被问到了同样的问题 —— “NSA是否曾要求他植入后门?”,当时他嘴里回答“No”,但同时却在点头。我的儿子是自由主义者,他已经给出了正确的回答…… 每个人都明白,NSA的确曾要求他这么干过! + +如果这段描述让你觉着耳熟,你可以[看下Youtube上关于这一段的视频片段][3]。后来Linus坚称他当时只是开玩笑,[NSA并没有为此找过他][4]。 + +**但是,根据11月11号质询会议上的发言看来,他的父亲并不这么想。** + +根据文档,Google、[Yahoo!][5]、Facebook以及 —— [的确还有微软][6],都在NSA要求提供“后门”的合作公司之列,仅这一发现,就足以震惊全世界。事实上,这些还只是冰山一角。因此,凭什么说NSA不会要求Linus也这么做呢? + +Nils并没有说Linus具体是如何回应的 —— 但我估计,这说明了两个问题,首先我们至少可以肯定的一点是,开源世界一直在努力防范类似事情成为可能; + +其次,如果真的有某些漏洞存在,NSA长长的触手早就已经把你的压箱底私房钱翻个底儿掉了。 + +-------------------------------------------------------------------------------- + +via: http://www.omgubuntu.co.uk/2013/11/nsa-ask-linus-torvalds-include-backdoors-linux-father-says-yes + +译者:[Mr小眼儿](http://blog.csdn.net/tinyeyeser) 校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出 + +[1]:http://www.nsa.gov/ +[2]:http://youtu.be/EkpIddQ8m2s?t=3h09m06s +[3]:http://www.youtube.com/watch?v=7gRsgkdfYJ8 +[4]:http://mashable.com/2013/09/19/linus-torvalds-backdoor-linux/ +[5]:http://www.telegraph.co.uk/technology/internet-security/10459081/Yahoo-to-encrypt-internal-traffic-following-NSA-revelations.html +[6]:http://www.bbc.co.uk/news/technology-23285642 \ No newline at end of file From 83967c5d12364dd1fd41506fcd2a80929045ebc1 Mon Sep 17 00:00:00 2001 From: tinyeyeser Date: Tue, 26 Nov 2013 11:04:04 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=E5=B7=B2=E6=A0=A1=E5=AF=B9=20by=E5=B0=8F?= =?UTF-8?q?=E7=9C=BC=E5=84=BF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...xamples To Get Operating System Details.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/translated/9 Linux Uname Command Examples To Get Operating System Details.md b/translated/9 Linux Uname Command Examples To Get Operating System Details.md index 181fcfbee1..ad57d016a1 100644 --- a/translated/9 Linux Uname Command Examples To Get Operating System Details.md +++ b/translated/9 Linux Uname Command Examples To Get Operating System Details.md @@ -1,18 +1,18 @@ -九个用Linux uname 命令获取操作系统详情的实例 +九个简单实例教你用uname命令获取Linux操作系统详情 ================================================================================ ![](http://linoxide.com/wp-content/uploads/2013/11/linux-uname-command.png) -当你在控制台模式下,无法通过‘右击 > About’给予你关于操作系统的信息.在Linux下,你可以用**uname**命令,帮助你完成. Uname是**unix name**的缩写.让我们先在控制台键入**uname**. +当你在控制台模式下,无法通过‘鼠标右键 > 关于’获取操作系统的信息.这时,在Linux下,你可以使用**uname**命令,帮助你完成这些工作. Uname是**unix name**的缩写.在控制台中实际使用的时候只需键入**uname**. -当你输入uname不带参数时,它仅仅只显示你的操作系统的名字. +当你输入uname不带参数时,它仅仅显示你的操作系统的名字. # uname Linux -也许它不能满足你的需要.所以你需要用一些参数使uname显示所需信息. +也许这还不能满足你的需要.所以你需要加上一些参数,来使uname显示你所需要的信息. 以下是uname参数的列表: @@ -28,7 +28,7 @@ ### 2. 内核发行版 ### -如果你想知道你正在使用那个内核版本,就可以用**-r**参数 +如果你想知道你正在使用哪个内核发行版,就可以用**-r**参数 # uname -r @@ -36,7 +36,7 @@ ### 3. 内核版本 ### -除一些内核信息外,用**-v**参数uname也能获取更详细的内核信息. +除一些内核信息外,用**-v**参数uname也能获取更详细的内核版本信息. # uname -v @@ -44,19 +44,19 @@ ### 4. 节点名 ### -参数 -n 会提供给你节点的主机名.举例来说,如果你的主机名是“dev-machine”,**-n**参数会打印用-n参数的输出. +参数 -n 会提供给你节点的主机名.举例来说,如果你的主机名是“dev-machine”,**-n**参数就会把主机名打印出来. # uname -n dev-machine -对于RedHat和CentOS用户来说,你也可以通过**/etc/redhat_release**文件: +对于RedHat和CentOS用户来说,你也可以通过**/etc/redhat_release**文件来查看: # cat /etc/redhat_release CentOS release 5.10 (Final) -如果不是基于RedHat的发行版,你可以用**/et/issue/**文件.类似如下: +如果不是基于RedHat的发行版,你可以查看**/et/issue/**文件.类似如下: # cat /etc/issue @@ -64,7 +64,7 @@ ### 5.硬件名称 ### -如果你在疑惑用的是那类机器,你可以尝试**-m**参数.它将告诉你关于硬件的信息. +如果你想知道用的是哪类机器,你可以尝试**-m**参数.它将告诉你关于硬件的信息. # uname -m @@ -74,17 +74,17 @@ i686表明了你用的是32位的操作系统.如果是X86_64则表明你用的 ### 6. 硬件平台 ### -类似与硬件名称, -i参数会显示你的硬件平台. +与硬件名称类似, -i参数会显示你的硬件平台. # uname -i i386 -i386意味这是正在运行一个32位的系统.如果输出的是X86_64则说明你正在运行一个64位的系统. +同样,i386意味这是正在运行一个32位的系统.如果输出的是X86_64则说明你正在运行一个64位的系统. ### 7. 处理器类型 ### -你可以用**-p**参数查看处理器类型.如果uname无法识别,它会显示 ‘unknown’ 的输出. +你可以用**-p**参数查看处理器类型.如果uname无法识别,它会显示 ‘unknown’ 作为输出. # uname -p @@ -92,7 +92,7 @@ i386意味这是正在运行一个32位的系统.如果输出的是X86_64则说 ### 8. 操作系统 ### -Uname也可以透露你在运行的操作系统.用**-o**参数可以实现这个目的. +uname也可以透露你正在运行的操作系统信息.用**-o**参数可以实现这个目的. # uname -o