¸¶½ºÅÍÆ÷À¯(Master4U)
Monday, 17 of January
 

·Î±×ÀÎ
sftp »óÀ§Æú´õ Á¢±ÙÁ¦ÇÑ(chroot)
°ü¸®ÀÚ  2014-03-23 03:17:26 Hit:5398
¸µÅ© #1: http://holecjh.tistory.com/87

ÀÏ´Ü 2°¡Áö ¹æ¹ýÀÌ Àִµ¥¿ä

ù¹øÂ° ¹æ¹ýÀº µð·ºÅ丮 ±ÇÇÑÀ» º¯°æÇÏ¿© ½±°Ô ¼³Á¤ÇÒ ¼ö ÀÖÁö¸¸ ƯÁ¤°èÁ¤¸¸ »óÀ§ µð·ºÅ丮·Î ¸ø¿Ã¶ó°¡´Â°Ô

¾Æ´Ï¶ó ¸ðµç ÀÏ¹Ý °èÁ¤ÀÌ ¸ø¿Ã¶ó°¡Áö¿ä.

¼³Á¤ÇÏ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù.

####### ù¹øÂ° ¹æ¹ý ############

chmod 711 /home
chmod 711 /etc
chmod 711 /
chmod 711 /usr
chmod 711 /usr/local
chmod 711 /proc
chmod 711 /mnt
chmod 711 /opt
chmod 711 /misc
chmod 711 /dev
chmod 711 /bin
chmod 711 /boot
chmod 711 /www
chmod 711 /var

µÎ¹øÂ° ¹æ¹ýÀº chroot ¼³Ä¡°¡ ÇÊ¿äÇÕ´Ï´Ù. ¼³Ä¡Àü¿¡ ±âÁ¸ sshd´Â ¸ðµÎ »èÁ¦ÇØ¾ß ÇÕ´Ï´Ù. (/etc/sshµµ ¸ðµÎ»èÁ¦)

centos5¸¦ ±âÁØÀ¸·Î ÀÛ¼ºµÈ ¿¹½ÃÀ̸ç ÀÌ·¸°Ô ÇÒ°æ¿ì

ƯÁ¤°èÁ¤¸¸ »óÀ§·Î ¸ø°¡°Ô ¼³Á¤ÀÌ °¡´ÉÇÕ´Ï´Ù. ÇÏÁö¸¸ ¸î°¡Áö ¼³Á¤µî ù¹øÂ° ¹æ¹ýº¸´Ü º¹ÀâÇÏÁö¿ä.

¾Æ·¡ ¸Þ´º¾óÀº http://system.neulwon.com/xe/?mid=linux_os&page=3&document_srl=308 ¸¦

ÂüÁ¶ÇÏ¿´½À´Ï´Ù.

 # wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
# tar jxvf openssh*


# vi openssh-4.5p1-chroot/contrib/redhat/openssh.spec

¾Æ·¡ÀÇ ³»¿ëÀ» ã¾Æ ¼öÁ¤ÇØ ÁÝ´Ï´Ù. 

%define no_x11_askpass 0 -> %define no_x11_askpass 1
%define no_gnome_askpass 0 -> %define no_gnome_askpass 1

À§¿Í°°ÀÌ º¯°æÇÕ´Ï´Ù.

# rm -rf openssh-4.5p1-chroot/contrib/aix/
# rm -rf openssh-4.5p1-chroot/contrib/hpux/
# rm -rf openssh-4.5p1-chroot/contrib/caldera/
# rm -rf openssh-4.5p1-chroot/contrib/suse/
# rm -rf openssh-4.5p1-chroot/contrib/cygwin/
# rm -rf openssh-4.5p1-chroot/contrib/solaris/
 
´Ù¸¥ ¿î¿µÃ¼Á¦¸¦ À§ÇÑ µð·ºÅ丮´Â »èÁ¦ÇØ Áֽñ¸¿ä.
º» Å×½ºÆ® ¼­¹öÀÇ OS´Â CentOS 5.1 32bit ÀÔ´Ï´Ù.

# mv openssh-4.5p1-chroot openssh-4.5p1
# tar czvf openssh-4.5p1.tar.gz openssh-4.5p1/
# rm -rf openssh-4.5p1
# yum -y install openssl-devel
# rpmbuild -tb --clean openssh-4.5p1.tar.gz

 ¼³Ä¡ ½Ã Zlib ¹öÀü¶§¹®¿¡ ¿À·ù°¡ ¶ã °æ¿ì
 zlib ÃֽйöÀüÀ» ¼³Ä¡ÇϽðí rpmbuild ÇÏ¸é µÈ´Ù°í ÇÕ´Ï´Ù.

ex)
If you are in doubt, upgrade zlib to version 1.2.3 or greater.
See
http://www.gzip.org/zlib/ for details.
¿À·ù: /var/tmp/rpm-tmp.62117ÀÇ À߸øµÈ Á¾·á »óȲ (%build)

# rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-4.5p1-1.i386.rpm
# rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-server-.i386.rpm
# rpm -Uvh /usr/src/redhat/RPMS/i386/openssh-clients-386.rpm
# rm -f openssh-4.5p1.tar.gz
# rm -f openssh-4.5p1-chroot-tar.bz2

# vi /etc/yum.conf
exclude=openssh  ¸¦ Ãß°¡ÇØÁÖ¼¼¿ä,
 
# vi /etc/rc.d/init.d/sshd
 
initlog -c "$SSHD $OPTION" && success || failure
->  $SSHD $OPTION && success || failure

À§ ³»¿ëó·³ ¼öÁ¤ÇØ ÁÝ´Ï´Ù.
±×¸®°í

# vi /usr/sbin/chroot-useradd  ÇØ¼­ ¾Æ·¡ ³»¿ë´ë·Î ÆÄÀÏÀ» ¸¸µé¾î¾ß ÇÕ´Ï´Ù.

[ºÙ¿©³Ö±â ½ÃÀÛ ]
#!/bin/bash
#
# Usage: ./chroot-useradd username [shell]
#
# Here specify the apps you want into the enviroment
CMD="bash ls touch mkdir tar gzip cp mv rm pwd chmod cat vi id rsync ssh scp ping ssh-keygen perl"
APPS=`which $CMD`
# Sanity check
if [ "$1" = "" ] ; then
echo " Usage: ./chroot-useradd username [shell]"
exit 1
fi
# Obtain username and HomeDir
CHROOT_USERNAME=$1
if [ "$2" = "" ] ; then
useradd $CHROOT_USERNAME
else
useradd -s $2 $CHROOT_USERNAME
fi
[ $? -ne 0 ] && exit 1
usermod -d /home/$CHROOT_USERNAME/./ $CHROOT_USERNAME
passwd $CHROOT_USERNAME
chown $CHROOT_USERNAME /home/$CHROOT_USERNAME
chgrp $CHROOT_USERNAME /home/$CHROOT_USERNAME
rm -f /home/$CHROOT_USERNAME/.* > /dev/null 2>&1
HOMEDIR=`grep /etc/passwd -e "^$CHROOT_USERNAME" | cut -d':' -f 6`
cd $HOMEDIR
# Create Directories no one will do it for you
mkdir -pv $HOMEDIRetc
mkdir -pv $HOMEDIRbin
mkdir -pv $HOMEDIRusr/bin
mkdir -pv $HOMEDIRusr/libexec/openssh
mkdir -pv $HOMEDIRusr/local/bin
mkdir -pv $HOMEDIRdev
mkdir -pv $HOMEDIRlib
# Make /dev/null or sftp won't work
mknod $HOMEDIRdev/null c 1 3 -m 666
# Create short version to /usr/bin/groups
# On some system it requires /bin/sh, which is generally unnessesary in a chroot cage
echo "#!/bin/bash" > $HOMEDIRusr/bin/groups
echo "id -Gn" >> $HOMEDIRusr/bin/groups
chmod 755 $HOMEDIRusr/bin/groups
# Add some users to ./etc/paswd
grep /etc/passwd -e "^root" -e "^$CHROOT_USERNAME" > $HOMEDIRetc/passwd
grep /etc/group -e "^root" -e "^$CHROOT_USERNAME" > $HOMEDIRetc/group
# Copy the apps and the related libs
for prog in $APPS;
do
cp $prog $HOMEDIR.$prog
# obtain a list of related libraryes
ldd $prog > /dev/null
if [ "$?" = 0 ] ; then
LIBS=`ldd $prog | awk '{ print $3 }'`
for l in $LIBS;
do
mkdir -pv $HOMEDIR.`dirname $l`
cp $l $HOMEDIR.$l
# mkdir -p $HOMEDIR`dirname $l` > /dev/null 2>&1
# cp $l $HOMEDIR$l > /dev/null 2>&1
done
fi
done
# From some strange reason these libraries are not in the ldd output, but without them
# some stuff will not work, like usr/bin/groups
cp /lib/libnss_compat.so.2 $HOMEDIRlib/
cp /lib/libnsl.so.1 $HOMEDIRlib/
cp /lib/libnss_files.so.2 $HOMEDIRlib/
cp /lib/ld-linux.so.2 $HOMEDIRlib/
cp /lib/libc.so.6 $HOMEDIRlib/
cp /lib/libm.so.6 $HOMEDIRlib/
cp /lib/libpthread.so.0 $HOMEDIRlib/
cp /lib/librt.so.1 $HOMEDIRlib/
cp /lib/libthread_db.so.1 $HOMEDIRlib/
cp /etc/termcap $HOMEDIRetc/
cp /usr/libexec/openssh/sftp-server $HOMEDIRusr/libexec/openssh
exit 0

[ºÙ¿©³Ö±â ³¡ ]

ÀúÀå ÈÄ ¾Æ·¡¿Í °°ÀÌ ¸ðµå¸¦ º¯°æÇØ ÁÝ´Ï´Ù.

# chmod 700 /usr/sbin/chroot-useradd

¿©±â±îÁö ÇØ¼­ ¸Þ´º¾ó´ë·Î µû¶óÇϱä Çߴµ¥
´ë~ÃæÀº;; ¿Ï·á°¡ µÈ µí ÇÕ´Ï´Ù.
ÀÚ! ÀÌÁ¦ °èÁ¤À» »ý¼ºÇؼ­ Å×½ºÆ® ÇØ º¼ Â÷·ÊÁÒ. µÎ±ÙµÎ±Ù..

# chroot-useradd À¯Àú¾ÆÀ̵ð
ÀÌÁ¦ À¯Àú°¡ »ý¼ºÀÌ µÇ°í, SSH Á¢¼ÓÇØ¼­ pwd ÇØ º¸¸é Àü¿¡´Â '/home/¾ÆÀ̵ð' ·Î ³ª¿ÔÁö¸¸
Áö±ÝÀº ' / ' ·Î ³ª¿À´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖÀ» °Ì´Ï´Ù.

¾ÆÁ÷±îÁö´Â CentOS 5 32bit ȯ°æ¿¡¼­¸¸ ¼³Ä¡Çغñ⠶§¹®¿¡
´Ù¸¥ ¹èÆ÷º»À̳ª 64bit È¯°æ¿¡¼­ Å×½ºÆ®´Â ÇØº¸Áö ¸øÇß½À´Ï´Ù.
Âü°í·Î CentOS 4.5 64bit ¿¡¼­ ½ÃµµÇÏ´Ù OS¸¦ À缳ġÇÏ´Â ÀÏÀ» °Þ±âµµ Çß½À´Ï´Ù;
º»¹®Àμ⺻¹®¸ÞÀϹ߼Û
¡â Æú´õ ÆÛ¹Ì¼Ç È®ÀÎ ¸í·É¾î
¡ä ¸®´ª½º ssh Á¢¼Ó Á¦ÇÑÇϱâ(root°èÁ¤, ÀϹݰèÁ¤)
Copyright 1999-2025 Zeroboard / skin by ChanBi