root외에는 /home위로 못나가게 하는방법 없나요?ㅠㅠ
작성자 정보
- 임근식 작성
- 작성일
컨텐츠 정보
- 3,191 조회
- 0 추천
-
목록
본문
글내용을 보아하니 ssh 사용시에 /home 디렉토리위로 못가는 방법을 질문하신
것 같은데 제 해석이 맞다면, 아래처럼 chroot()로 ssh쉘에서 상위디렉토리
이동 방지하도록할 수 있습니다. 근데 제 개인적인 경우에는 이 방법을
쓰다가 효율성때문에 사용하지 않고 퍼미션 처리를 통하여 /home 디렉토리에서
타사용자의 아이디로 접근못하게 하는 방식으로 사용중입니다.
- 아 래 -
There was a time, not so very long ago, when we used to enjoy running an ftp server and locking our users into tiny little chrooted jails. While we still enjoy denying users their freedom, we now prefer to do so using a maximum security facility. The sftp file transfer program, which comes with OpenSSH server, gives users an interactive interface like ftp but performs transfers over an encrypted ssh transport. In this day and age, it is not unreasonable to expect users to start using an ssh client, even if they are running Windows. If they don't have one already, tell them to download Putty. There are also nice commercial clients, and if users are technically adept and so inclined, they can use openssh over cygwin.
Building a chrooted ssh
By design, OpenSSH does not include the capacity to be chrooted, as the developers contend such functionality belongs in the OS. Luckily, a third party patch has been developed. The patch, a pre-patched openssh tarball, and a good document about setting up the chrooted sftp are available at http://chrootssh.sourceforge.net.
Download the tarball for openssh, and the chrootssh patch (http://chrootssh.sourceforge.net/). Untar the openssh sources,
then apply the patch.
[urbana@srv-3 ssh]$ tar xzf openssh-3.6.1p2.tar.gz [urbana@srv-3 ssh]$ cd openssh-3.6.1p2 [urbana@srv-3 openssh-3.6.1p2]$ patch -p1 < ../osshChroot-3.6.1.diff patching file session.c |
Now build the chroooted OpenSSH.
[urbana@srv-3 openssh-3.6.1p2]$ ./configure --with-md5-password [urbana@srv-3 openssh-3.6.1p2]$ make |
Before you make install, you may want to make a copy of your current ssh binaries, if they are installed in /usr/local/bin and /usr/local/sbin, which is where openssh will put them by default. The install will not overwrite your config files or host keys, though if you're paranoid like us you'll back them up anyway.
[root@srv-3 openssh-3.6.1p2]# make install |
This goes swimmingly on my Red Hat 7.3 workstation. Now, you'll need to kill the old sshd and start the new one. In my case, I have been running sshd from a different location, /usr/sbin/sshd which is where Red Hat installs it. In order to keep the rc script working, either change the path to sshd in your sshd rc script, (/etc/rc.d/init.d/sshd or something like that) or create a link like so:
[root@srv-3 openssh-3.6.1p2]# mv /usr/sbin/sshd /usr/sbin/sshd.old [root@srv-3 openssh-3.6.1p2]# ln -s /usr/local/sbin/sshd /usr/sbin/sshd [root@srv-3 ssh]# service sshd stop Stopping sshd: [ OK ] [root@srv-3 ssh]# service sshd start Starting sshd: [ OK ] |
Make sure you can ssh to your machine from another box. If sshd is working, we can proceed to my favorite part, setting up the chrooted jail.
Building a Jail
The chrooted environment must contain everything a user needs to copy files back and forth using sftp. This includes utilities used by sftp, libraries, a home directory, and even some device files. This will keep the user safely off the rest of the system. Before you get too excited, keep in mind that chrooted jails can be broken. But not easily. Referring to the document at chrootssh.sourceforge.net, we'll build our jail. We're going to call ours alcatraz.
[root@srv-3 u01]# mkdir /u01 |
필요한 바이너리 복사하기:
[root@srv-3 bin]# cp /bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir . [root@srv-3 bin]# ln -s bash sh |
필요한 라이브러리를 결정하고, 지정위치에 복사하기:
[root@srv-3 bin]# cd ../lib
[root@srv-3 lib]# ldd ../bin/bash
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4002b000)
libdl.so.2 => /lib/libdl.so.2 (0x40030000)
libc.so.6 => /lib/libc.so.6 (0x40033000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@srv-3 lib]# cp /lib/libtermcap.so.2 .
[root@srv-3 lib]# cp /lib/libdl.so.2 .
[root@srv-3 lib]# cp /lib/libc.so.6 .
[root@srv-3 lib]# cp /lib/ld-linux.so.2 .
[root@srv-3 lib]# ldd ../bin/cp
libc.so.6 => /lib/libc.so.6 (0x4002b000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@srv-3 lib]# ldd ../bin/ls
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4002b000)
libc.so.6 => /lib/libc.so.6 (0x40030000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
|
그리고, 기타 sftp 자체를 필요로 하는 경우 관련 설정하기:.
[root@srv-3 alcatraz]# cd usr
[root@srv-3 usr]# mkdir lib
[root@srv-3 usr]# mkdir -p local/libexec
[root@srv-3 usr]# cp /usr/local/libexec/sftp-server local/libexec/
[root@srv-3 usr]# ldd local/libexec/sftp-server
libutil.so.1 => /lib/libutil.so.1 (0x4002b000)
libz.so.1 => /usr/lib/libz.so.1 (0x4002f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x4003d000)
libcrypto.so.2 => /lib/libcrypto.so.2 (0x40051000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40117000)
libc.so.6 => /lib/libc.so.6 (0x40144000)
libdl.so.2 => /lib/libdl.so.2 (0x4026b000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
[root@srv-3 usr]# cp /lib/libutil.so.1 ../lib/
[root@srv-3 usr]# cp /usr/lib/libz.so.1 lib/
[root@srv-3 usr]# cp /lib/libnsl.so.1 ../lib/
[root@srv-3 usr]# cp /lib/libcrypto.so.2 ../lib/
[root@srv-3 usr]# cp /lib/libcrypt.so.1 ../lib/
[root@srv-3 usr]# cp /lib/libc.so.6 ../lib/
cp: overwrite `../lib/libc.so.6'? n
[root@srv-3 usr]# cp /lib/libdl.so.2 ../lib/
cp: overwrite `../lib/libdl.so.2'? n
|
지금 sftp는 작업할수 있음. 우리는 디바이스 파일들이 필요하다. (/dev/null and /dev/zero):
[root@srv-3 usr]# cd ../dev [root@srv-3 dev]# ls -l /dev/null /dev/zero crw-rw-rw- 1 root root 1, 3 Apr 11 2002 /dev/null crw-rw-rw- 1 root root 1, 5 Apr 11 2002 /dev/zero [root@srv-3 dev]# mknod null c 1 3 [root@srv-3 dev]# mknod zero c 1 5 [root@srv-3 dev]# ls -l total 0 crw-r--r-- 1 root root 1, 3 Jul 28 15:15 null crw-r--r-- 1 root root 1, 5 Jul 28 15:15 zero |
chroot로 작업을 하려고 한다면 아래를 잘보도록 하자.
[root@srv-3 root]# chroot /u01/alcatraz /bin/sh [I have no name!@srv-3 /]# pwd / [I have no name!@srv-3 /]# ls bin dev home lib usr |
이 작업이다. 그러나, 당신이 보는것 처럼 기능적으로 제한되어 있다.
만약 우리가 /etc/passwd 파일을 가지고 있다면 즉시, 우리는 위의
리스트된 속성 위기 대신에 일반적인 루트 프롬프트를 가지게 된다.
Setting up Users, Refining.
chroot가 적용된 사용자를 추가하도록 하자. 그리고 ssh로 접속하여 테스트하도록 하면된다.
[root@srv-3 bin]# useradd -d /u01/alcatraz/./home/usr-3 usr-3 [root@srv-3 bin]# passwd usr-3 Changing password for user usr-3. New password: Retype new password: passwd: all authentication tokens updated successfully. [root@srv-3 bin]# ssh srv-4 root@srv-4's password: Last login: Mon Jul 28 13:44:49 2003 from srv-3.upthe.com [root@srv-4 root]# ssh usr-3@srv-3 usr-3@srv-3's password: bash-2.05a$ pwd /home/usr-3 bash-2.05a$ cd ../.. bash-2.05a$ ls bin dev home lib usr |
Yep, we are definitely in our jail. But lets see what we can do in this jail:
bash-2.05a$ mkdir z mkdir: cannot create directory `z': Permission denied bash-2.05a$ cd bash-2.05a$ pwd /home/usr-3 bash-2.05a$ mkdir z bash-2.05a$ ls -l total 4 drwxr-xr-x 2 548 548 4096 Jul 28 22:39 z bash-2.05a$ cd .. bash-2.05a$ rmdir usr-3 rmdir: `usr-3': Permission denied |
Looks pretty good! The last thing we have to do is lock down little usr-3's shell so she can use only sftp. We are not allowing interactive logins, chrooted or no. The easiest way to do this is to use sftp-server as the shell. It's a little ugly, but it works.
[root@srv-4 root]# ssh usr-3@srv-3 usr-3@srv-3's password: Last login: Mon Jul 28 15:36:54 2003 from srv-4.upthe.com Connection to srv-3 closed. [root@srv-4 root]# sftp usr-3@srv-3 Connecting to srv-3... usr-3@srv-3's password: sftp> pwd Remote working directory: /home/usr-3 sftp> put /etc/group Uploading /etc/group to /home/usr-3/group |
The ugly part is that the session just hangs until interrupted when interactive login is attempted. You can always write a wrapper, but remember it must work within your chroot environment. Finally, let's tighten up our jail a little bit more. Let's take away usr-3's write permissions on her own home directory! Why, you ask? I'll show you.
[urbana@srv-4 .ssh]$ sftp usr-3@srv-3 Connecting to srv-3... usr-3@srv-3's password: sftp> mkdir .ssh sftp> lcd .ssh sftp> cd .ssh sftp> put id_dsa.pub authorized_keys Uploading id_dsa.pub to /home/usr-3/.ssh/authorized_keys sftp> exit [urbana@srv-4 .ssh]$ sftp usr-3@srv-3 Connecting to srv-3... sftp> |
This is fine, if you want to allow the user to write keys and circumvent the need for a valid password. But if you want to control access via passwords, lock down the home directory and give them write permissions on a directory below it.
[root@srv-3 usr-3]# mkdir files [root@srv-3 usr-3]# chown usr-3:usr-3 files [root@srv-3 usr-3]# chmod 700 files [root@srv-3 usr-3]# ls -l total 12 drwx------ 2 usr-3 usr-3 4096 Jul 28 16:35 files [root@srv-3 usr-3]# cd .. [root@srv-3 home]# chown root:root usr-3 [root@srv-3 home]# ls -l total 4 drwx------ 3 root root 4096 Jul 28 16:35 usr-3 |
That will keep usr-3 from playing her naughty tricks. I'm looking forward to imprisoning many users with this system. True, there's no proof they've done anything wrong, but I'm sure they're just waiting for the opportunity!
Tip. chroot 환경 디렉토리 자동 생성 스크립트
#!/bin/sh |
관련자료
-
이전
-
다음
