创建用户并设置密码
groupadd ctuser
useradd -g ctuser -d /logs/tomcat -p ctuser262700! ctuser
echo 'ctuser262700!' | passwd --stdin ctuser
限制用户在某个目录下
cat >> /etc/ssh/sshd_config << EOF
Match User ctuser
ChrootDirectory /logs/tomcat/
EOF
systemctl restart sshd
建立chroot监狱
mkdir /logs/tomcat/{bin,dev,lib64,etc}
mknod /logs/tomcat/dev/null c 1 3
mknod /logs/tomcat/dev/zero c 1 5
mknod /logs/tomcat/dev/random c 1 8
mknod /logs/tomcat/dev/urandom c 1 9
mknod /logs/tomcat/dev/tty c 5 0
chmod 0666 /logs/tomcat/dev/{null,zero,tty}
cp /etc/passwd /logs/tomcat/etc/
cp /etc/group /logs/tomcat/etc
拷贝可以使用的命令
执行脚本如下:
#---------开始-----------
# 要允许执行的文件列表
cmdlist="/bin/bash /bin/ls /bin/vi /bin/vim /bin/pwd /bin/more /bin/less /bin/cat /bin/tail /bin/head"
#chroot路径
chroot_path=/logs/tomcat/
# 判断依赖的库文件
lib_1=`ldd $cmdlist | awk '{ print $1 }' | grep "/lib" | sort | uniq`
lib_2=`ldd $cmdlist | awk '{ print $3 }' | grep "/lib" | sort | uniq`
#复制命令文件
for i in $cmdlist
do
cp -a $i $chroot_path/bin/ && echo "$i done"
done
#复制依赖的库文件(如果是i386,是lib,是x86_64,则是lib64,)
for j in $lib_1
do
cp -f $j $chroot_path/lib64/ && echo "$j done"
done
for k in $lib_2
do
cp -f $k $chroot_path/lib64/ && echo "$k done"
done
#---------结束-----------
拷贝环境变量
cp /etc/bashrc /logs/tomcat/etc/
echo 'export PATH=$PATH:/bin' >> /logs/tomcat/etc/profile
具体脚本
#添加用户组
groupadd ctuser
#添加用户
useradd -g ctuser -d /logs/tomcat/ ctuser
#设置密码
echo 'ctuser262700!' | passwd --stdin ctuser
#修改ssh配置文件
cat >> /etc/ssh/sshd_config << EOF
Match User ctuser
ChrootDirectory /logs/tomcat/
EOF
#重启ssh服务
systemctl restart sshd
#在给定的目录中建立chroot监狱环境
mkdir /logs/tomcat/{bin,dev,lib64,etc}
mknod /logs/tomcat/dev/null c 1 3
mknod /logs/tomcat/dev/zero c 1 5
mknod /logs/tomcat/dev/random c 1 8
mknod /logs/tomcat/dev/urandom c 1 9
mknod /logs/tomcat/dev/tty c 5 0
chmod 0666 /logs/tomcat/dev/{null,zero,tty}
cp /etc/passwd /logs/tomcat/etc/
cp /etc/group /logs/tomcat/etc
#拷贝命令
# 要允许执行的文件列表
cmdlist="/bin/bash /bin/ls /bin/vi /bin/vim /bin/pwd /bin/more /bin/less /bin/cat /bin/tail /bin/head"
#chroot路径
chroot_path=/logs/tomcat/
# 判断依赖的库文件
lib_1=`ldd $cmdlist | awk '{ print $1 }' | grep "/lib" | sort | uniq`
lib_2=`ldd $cmdlist | awk '{ print $3 }' | grep "/lib" | sort | uniq`
#复制命令文件
for i in $cmdlist
do
cp -a $i $chroot_path/bin/ && echo "$i done"
done
#复制依赖的库文件(如果是i386,是lib,是x86_64,则是lib64,)
for j in $lib_1
do
cp -f $j $chroot_path/lib64/ && echo "$j done"
done
for k in $lib_2
do
cp -f $k $chroot_path/lib64/ && echo "$k done"
done
cp /etc/bashrc /logs/tomcat/etc/
echo 'export PATH=$PATH:/bin' >> /logs/tomcat/etc/profile