document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-03-30 02:40:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #516 from Luoxcat/master

Browse Source 
已翻译 by Luox
This commit is contained in:
Xingyu.Wang 2013-12-05 06:52:26 -08:00
commit c505d2e42e
2 changed files with 266 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

221
sources/Setup a jailed shell with jailkit on ubuntu.md
View File

@ -1,221 +0,0 @@
我不入监狱  谁入监狱
Setup a jailed shell with jailkit on ubuntu
================================================================================
### Jailed Shell and Jailkit ###
A jailed shell is a kind of limited shell that provides the user with a very real looking shell but does not allow him to mess with/view/modify any parts of the real file systems. The file system inside the shell is different from the actual file system of the underlying system. Such a functionality is achived through chroot and finds many kinds of applications. For example to setup a linux shell for users to just "play with". Or run some program with full functionality but in a limited environment and so on.
In this tutorial we are going to talk about setting up a jailed shell quickly with jailkit on ubuntu. Jailkit is helper program that allows to quickly setup a jailed shell, jail users inside it, and configure programs to run from the jailed environment.
Jailkit can be downloaded from [http://olivier.sessink.nl/jailkit/][1]
We have already discussed about installing jailkit on ubuntu so check out that post.
### Setup jailed shell ###
#### 1. Setup the jail environment ####
There needs to be a directory where the whole jail environment will be setup. Lets do it in /opt/jail. This can be whatever.
$ sudo mkdir /opt/jail
Root should own this directory. So chown it out.
$ sudo chown root:root /opt/jail
#### 2. Setup the programs to make available inside the jail ####
All the programs that need to be available in the jail need to be copied inside it using the jk_init command.
Example
$ sudo jk_init -v /jail basicshell
$ sudo jk_init -v /jail editors
$ sudo jk_init -v /jail extendedshell
$ sudo jk_init -v /jail netutils
$ sudo jk_init -v /jail ssh
$ sudo jk_init -v /jail sftp
$ sudo jk_init -v /jail jk_lsh
Or at one go
$ sudo jk_init -v /opt/jail netutils basicshell jk_lsh openvpn ssh sftp
The names like basicshell , editors , netutils are groups that contain multiple programs. Each group is a set of executable files, libraries etc to be copied into the shell. For example, the section **basicshell** provides many programs like bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep etc in the jail.
For a complete list of sections that can be setup, have a look at /etc/jailkit/jk_init.ini.
jk_lsh (Jailkit limited shell) - is an important section, and must be added.
#### 3. Create the user who will be jailed ####
Need a user to put inside the jail. Lets create one
$ sudo adduser robber
Adding user `robber' ...
Adding new group `robber' (1005) ...
Adding new user `robber' (1006) with group `robber' ...
Creating home directory `/home/robber' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for robber
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
Note that this is a normal user who is created in the actual filesystem and not inside the jail.
In the next step this user shall be imprisoned inside the jail.
At this point if you take a look at /etc/passwd you get to see an entry at the end that looks like this
robber:x:1006:1005:,,,:/home/robber:/bin/bash
This is our new user and the last part /bin/bash indicates that the user has a normal shell access on the system, if he logs in.
#### 4. Jail the user ####
Now its time to put the user inside the jail.
$ sudo jk_jailuser -m -j /opt/jail/ robber
By doing this the user robber has now been jailed.
Now if you take a look at /etc/passwd the last entry would look like this
robber:x:1006:1005:,,,:/opt/jail/./home/robber:/usr/sbin/jk_chrootsh
Note that the last 2 parts that indicate the home user and the shell type have changed. The home directory of the user is now inside the jail environment at /opt/jail. The shell of the user is now a special program called jk_chrootsh that will provide the jailed shell.
It is this particular shell called jk_chrootsh that takes the user inside the jail, everytime he logs onto the system.
The jail setup by now is nearly done. But if you try to connect to id from ssh, it will fail like this :
$ ssh robber@localhost
robber@localhost's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com/
13 packages can be updated.
0 updates are security updates.
*** /dev/sda7 will be checked for errors at next reboot ***
*** /dev/sda8 will be checked for errors at next reboot ***
Last login: Sat Jun 23 12:45:13 2012 from localhost
Connection to localhost closed.
$
The connection shall close. This happens because the user actually has a limited shell.
#### 5. Give bash shell to user inside the jail ####
The next important thing to do is to give the user a proper bash shell, but inside the jail.
Open the following file
/opt/jail/etc/passwd
Its the password file inside the jail. It would look somewhat like this
root:x:0:0:root:/root:/bin/bash
robber:x:1006:1005:,,,:/home/robber:/usr/sbin/jk_lsh
Change the /usr/sbin/jk_lsh to /bin/bash
root:x:0:0:root:/root:/bin/bash
robber:x:1006:1005:,,,:/home/robber:/bin/bash
Save the file and exit.
#### 6. Login to the jail ####
So now its time to login into the jail again
$ ssh robber@localhost
robber@localhost's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com/
13 packages can be updated.
0 updates are security updates.
*** /dev/sda7 will be checked for errors at next reboot ***
*** /dev/sda8 will be checked for errors at next reboot ***
Last login: Sat Jun 23 12:46:01 2012 from localhost
bash: groups: command not found
I have no name!@desktop:~$
The jail says 'I have no name!' , ha ha. Now we have a fully functional bash shell but inside the jail.
Now check the environment by moving around. The root / of the jailed environment is /opt/jail of the real file system. But its only we who knows that, not the jailed user.
I have no name!@desktop:~$ cd /
I have no name!@desktop:/$ ls
bin dev etc home lib lib64 run usr var
I have no name!@desktop:/$
Also only the commands that were copied via jk_cp sections will be available in this jail.
If the login fails, then check /var/log/auth.log for error messages.
Now try running some network command like wget or anything similar.
$ wget http://www.google.com/
If you get an error like this :
$ wget http://www.google.com/
--2012-06-23 12:56:43-- http://www.google.com/
Resolving www.google.com (www.google.com)... failed: Name or service not known.
wget: unable to resolve host address `www.google.com'
Fix it by running the following 2 commands :
$ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_files.so.2
$ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_dns.so.2
The exact location of the libnss_files.so and libnss_dns.so can vary so check.
### Running programs or services in the jail ###
Now the setup is complete. Jails are useful to run programs or services in a restricted/secure environments. To launch a program or daemon inside the jail use the **jk_chrootlaunch** command.
$ sudo jk_chrootlaunch -j /opt/jail -u robber -x /some/command/in/jail
The jk_chrootlaunch utility can be used to launch a particular process inside the jail environment with privileges of the specified user. If the daemon fails to start, check /var/log/syslog for error messages.
To run the program inside the jail, the program must first be fully copied inside the jail using the jk_cp command.
jk_cp - a utility to copy files including permissions and libraries into a jail
For further reading about various jailkit commands, check the documentation at [http://olivier.sessink.nl/jailkit/][1]
--------------------------------------------------------------------------------
via: http://www.binarytides.com/setup-jailed-shell-jailkit-ubuntu/
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://olivier.sessink.nl/jailkit/
[2]:
[3]:
[4]:
[5]:
[6]:
[7]:
[8]:
[9]:
[10]:
[11]:
[12]:

266
translated/Setup a jailed shell with jailkit on ubuntu.md Normal file
View File

@ -0,0 +1,266 @@
在Ubuntu下用jailkit建立一个被监禁的Shell
================================================================================
### Jailkit和jailed Shell ###
监狱性的shell是一类限制性的shell提供给用户非常真实的Shell模样但是不允许它查看和修改真正的文件系统。Shell内的文件系统不同于底层的文件系统。这种功能是通过chroot和其他多种程序实现的。举例来说建立一个用户的linux shell可能仅仅为了玩耍。或者在一个限定的环境里运行一些程序的所有功能等。
在这个教程里我们将会探讨在Ubuntu下用jailkit建立一个监禁的shell。Jailkit是辅助程序允许快速的建立一个监禁的shell监禁的用户在受监禁的环境里配置程序并运行。
Jailkit can be downloaded from [http://olivier.sessink.nl/jailkit/][1]
我们已经谈论过关于在Ubuntu下安装jailkit如果有不懂多看看那篇文章。
### 配置jailed Shell ###
#### 配置jail环境 ####
我们需要建立一个目录来存放所有jail环境的配置。这不是重点我们可以创建个/opt/jail的目录。
$ sudo mkdir /opt/jail
这个目录应为Root所有。所以用chown。
$ sudo chown root:root /opt/jail
#### 2. 设置在jail中可用的程序 ####
任何程序想要在jail中执行则必须用jk_init命令拷贝到目录中。
例如:
$ sudo jk_init -v /jail basicshell
$ sudo jk_init -v /jail editors
$ sudo jk_init -v /jail extendedshell
$ sudo jk_init -v /jail netutils
$ sudo jk_init -v /jail ssh
$ sudo jk_init -v /jail sftp
$ sudo jk_init -v /jail jk_lsh
或一次性解决:
$ sudo jk_init -v /opt/jail netutils basicshell jk_lsh openvpn ssh sftp
像basicshell, editors, netutils是一些组名其中包含多个程序。复制到jail shell中的每个组都是可执行文件,库文件等的集合。比如**basicshell**就在jail提供有bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep等程序。
完整的程序列表设置,你可以在/etc/jailkit/jk_init.ini中查看。
jk_lsh (Jailkit limited shell) - is an important section, and must be added.
#### 3. 创建将被监禁的用户 ####
需要将用户放入jail里。可以先创建一个
$ sudo adduser robber
Adding user `robber' ...
Adding new group `robber' (1005) ...
Adding new user `robber' (1006) with group `robber' ...
Creating home directory `/home/robber' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for robber
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
注意:目前创建的是一个活动在文件系统中的普通用户并没有添加到jail中。
在下一步这个用户会被监禁在jail里。
这时候如果你查看/etc/passwd文件你会在文件最后看到跟下面差不多的一个条目。
robber:x:1006:1005:,,,:/home/robber:/bin/bash
这是我们新创建的用户,最后部分的/bin/bash指示了这个用户如果登入了那么它可以在系统上正常的Shell访问
#### 4. 监禁用户 ####
现在是时候将用户监禁在jail中
$ sudo jk_jailuser -m -j /opt/jail/ robber
执行上列命令后用户robber将会被监禁。
如果你现在再观察/etc/passwd文件会发现类似下面的最后条目。
robber:x:1006:1005:,,,:/opt/jail/./home/robber:/usr/sbin/jk_chrootsh
注意:最后两部分表明用户主目录和shell类型已经被改变了。现在用户的主目录在/opt/jail(jail环境)中。用户的Shell是一个名叫jk_chrootsh的特殊程序会提供jailed Shell。
jk_chrootsh这是个特殊的shell每当用户登入系统时它都会将用户放入jail中。
到目前为止jail配置已经几乎完成了。但是如果你试图用ssh连接那么注定会失败,像这样:
$ ssh robber@localhost
robber@localhost's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com/
13 packages can be updated.
0 updates are security updates.
*** /dev/sda7 will be checked for errors at next reboot ***
*** /dev/sda8 will be checked for errors at next reboot ***
Last login: Sat Jun 23 12:45:13 2012 from localhost
Connection to localhost closed.
$
连接会立马关闭这意味着用户已经活动在一个受限制的shell中。
#### 5. 给在jail中的用户Bash Shell ####
下个重要的事情是给用户一个正确的bash shell但是他却在jail中。
打开下面的文件
/opt/jail/etc/passwd
这是个jail中的password文件。类似如下
root:x:0:0:root:/root:/bin/bash
robber:x:1006:1005:,,,:/home/robber:/usr/sbin/jk_lsh
将/usr/sbin/jk_lsh改为/bin/bash
root:x:0:0:root:/root:/bin/bash
robber:x:1006:1005:,,,:/home/robber:/bin/bash
保存文件并退出。
#### 6. 登入jail ####
现在让我们再次登入jail
$ ssh robber@localhost
robber@localhost's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86_64)
* Documentation: https://help.ubuntu.com/
13 packages can be updated.
0 updates are security updates.
*** /dev/sda7 will be checked for errors at next reboot ***
*** /dev/sda8 will be checked for errors at next reboot ***
Last login: Sat Jun 23 12:46:01 2012 from localhost
bash: groups: command not found
I have no name!@desktop:~$
jail说'I have no name!'哈哈。现在我们在jail中有个完整功能的bash shell。
现在通过操作检查环境。jail中的root /实际就是真实文件系统中的/opt/jail.但这只有我们自己知道jail用户并不知情。
I have no name!@desktop:~$ cd /
I have no name!@desktop:/$ ls
bin dev etc home lib lib64 run usr var
I have no name!@desktop:/$
也只有我们通过jk_cp拷贝到jail中的命令能使用。
如果登入失败,请检查一下/var/log/auth.log的错误信息。
现在尝试运行一些网络命令类似wget的命令。
$ wget http://www.google.com/
如果你获得类似的错误提示:
$ wget http://www.google.com/
--2012-06-23 12:56:43-- http://www.google.com/
Resolving www.google.com (www.google.com)... failed: Name or service not known.
wget: unable to resolve host address `www.google.com'
你可以通过运行下列两条命令来解决这个问题:
$ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_files.so.2
$ sudo jk_cp -v -j /opt/jail /lib/x86_64-linux-gnu/libnss_dns.so.2
这样才能正确的定位到libnss_files.so和libnss_dns.so
### 在jail中运行程序或服务  ###
此时此刻配置已经完成了。Jails可以在限制/安全的环境里运行程序或服务。用**jk_chrootlaunch**命令在jail中启动一个程序或守护进程。
$ sudo jk_chrootlaunch -j /opt/jail -u robber -x /some/command/in/jail
jk_chrootlaunch工具可以在jail环境中启动一个特殊的进程同时指定用户特权。如果守护进程启动失败请检查/var/log/syslog/错误信息。
在jail中运行程序之前该程序必须已经用jk_cp命令复制到jail中。
jk_cp - 将文件包括权限信息和库文件复制到jail的工具 
进一步阅读有关其他jailkit命令信息可以阅读文档[http://olivier.sessink.nl/jailkit/][1]
--------------------------------------------------------------------------------
via: http://www.binarytides.com/setup-jailed-shell-jailkit-ubuntu/
译者:[Luoxcat](https://github.com/Luoxcat) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://olivier.sessink.nl/jailkit/
[2]:
[3]:
[4]:
[5]:
[6]:
[7]:
[8]:
[9]:
[10]:
[11]:
[12]: