2. vim sshd_config -- add lines following lines
Match group sshusers
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home/%u
#ForceCommand /usr/libexec/openssh/sftp-server
3. useradd user1
4. usermod -G chrootusers
5. usermod -G chrootusers -d / user1
6. yum --installroot=/var/chroot --releasever=7 --nogpg --disablerepo='*' --enablerepo=base install centos-release openssh-clients wget vi nano zip unzip tar mariadb findutils iputils bind-utils rsync
7. echo "none /var/chroot/proc proc defaults 0 0" >> /etc/fstab
8. echo "/dev /var/chroot/dev none bind 0 0" >> /etc/fstab
9. mount -a
10. systemctl restart sshd.service
11. id -u user1 (keep it)
12. id -g user1 (keep it)
13. chroot /var/chroot /bin/bash -c 'useradd -u (id item 11) user1'
14. chroot /var/chroot /bin/bash -c 'groupadd -g (id item 12) chrootusers'
Luckily, I was able to come up with a way to do that.
Debian 8
Install the required packages
apt-get install binutils debootstrap libpam-chroot
Choose a location
mkdir -p /srv/chroot/wheezy
Build the chroot
Either select a close network mirror manually, use one of the dns based mirrors such as ftp.XX.debian.org where XX is your geographic country code, or use the httpredir.debian.org which will do this for you automatically. The httpredir.debian.org is easier to document and becoming the generally preferred method and is therefore recommended if you don't have your own fast preferred local mirror. See http://httpredir.debian.org/ for documentation and details.
debootstrap --arch [i386|amd64] wheezy /srv/chroot/wheezy http://httpredir.debian.org/debian
To enter:
chroot /srv/chroot/wheezy
Configuration
In general, it is necessary to create/edit key configuration points.
Create a /usr/sbin/policy-rc.d file IN THE CHROOT so that dpkg won't start daemons unless desired. This example prevents all daemons from being started in the chroot.
chroot /srv/chroot/wheezy
cat > ./usr/sbin/policy-rc.d <
#!/bin/sh
exit 101
EOF
chmod a+x ./usr/sbin/policy-rc.d
real system /etc/passwd (points to the chroot folder)
rbf7:x:1002:1002::/home/user:/bin/shwhere /var/chroot is the dir you build your chroot system
# vi /etc/security/chroot.conf
user /var/chroot
# mount --bind /dev/pts /var/chroot/dev/pts
# mount -t proc proc /var/chroot/proc
# vim /etc/pam.d/sshd
session required pam_chroot.so debug
# vim /etc/pam.d/login
session required pam_chroot.so debug
Step 1: Add a group for chrooted users
groupadd chrootusers
Step 2: Configure SSH
nano /etc/ssh/sshd_config
Replace
Subsystem sftp /usr/libexec/openssh/sftp-server
With
Subsystem sftp internal-sftp
Paste at the End
Match Group chrootusers
ChrootDirectory /home/%u
Run
systemctl restart sshd
systemctl status sshd
Step 3: Add a user
Change
peter to your desired user name.export NEW_USER_NAME=peter
useradd ${NEW_USER_NAME}
usermod -G chrootusers -d / ${NEW_USER_NAME}
passwd ${NEW_USER_NAME}
Step 4: Install packages and create the necessary directory structure
yum --installroot=/home/${NEW_USER_NAME} --releasever=7 --nogpg --disablerepo='*' --enablerepo=base install centos-release openssh-clients wget vi nano zip unzip tar mariadb findutils iputils bind-utils rsync
Step 5: Mount
proc and devecho "none /home/${NEW_USER_NAME}/proc proc defaults 0 0" >> /etc/fstab
echo "/dev /home/${NEW_USER_NAME}/dev none bind 0 0" >> /etc/fstab
Run
mount -a
Step 6: Configure the DNS servers
echo "nameserver 8.8.8.8" >> /home/${NEW_USER_NAME}/etc/resolv.conf
echo "nameserver 8.8.4.4" >> /home/${NEW_USER_NAME}/etc/resolv.conf
That's all.
Keep in mind that
$NEW_USER_NAME is bound to the current session!
Start from Step 3 when adding another user.
To install more packages later use the same command as in Step 4.
When logging in using SSH you will get messages like
cannot find name for user ID x. They are safe to ignore, but if you'd like to get rid of them, you will need to duplicate the user in chroot:export NEW_USER_ID=$(id -u ${NEW_USER_NAME})
export NEW_USER_GROUP_ID=$(id -g ${NEW_USER_NAME})
chroot /home/${NEW_USER_NAME} /bin/bash -c 'useradd -u ${NEW_USER_ID} ${NEW_USER_NAME}'
chroot /home/${NEW_USER_NAME} /bin/bash -c 'groupadd -g ${NEW_USER_GROUP_ID} chrootusers'For use with chrooted in apache 2.4 and above you must include
cp /sbin/suexec /var/chroot/sbin/suexec
cp /sbin/suexec /var/chroot/usr/sbin/suexec
Require all granted
ServerName bkp.domain-chrooted.com
DocumentRoot /var/chroot/home/user-name/public_html
ServerAdmin webmaster@domain-chrooted.com
UseCanonicalName Off
UserDir enabled user-name
CustomLog /var/log/httpd/domlogs/bkp.domain-chrooted.com combined
# Include conf.d/auth-inc.conf.txt
AllowOverride All
Require all granted
# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilegacyexprparser
SSILegacyExprParser On
suPHP_UserGroup user-name user-name
SuexecUserGroup user-name user-name
RMode config
RUidGid user-name user-name
# For more information on MPM ITK, please read:
# http://mpm-itk.sesse.net/
AssignUserID user-name user-name
ScriptAlias /cgi-bin/ /var/chroot/home/user-name/public_html/cgi-bin/
Nenhum comentário:
Postar um comentário