说明:chroot–change root(改变角色),例如apache服务,这个服务是直接安装到了根目录下面的所以当ps后看进程信息的时候后面的路径是以系统的“根”开始找的。如果想搭建起来这个chroot的环境,需要工具–jail.tar.gz,jail(监狱)也就是把自己想让服务更安全,那么就把服务扔到监狱中去运行,,黑客入侵了也只能在监狱中控制,不能跳出监狱进行别的控制。本文介绍的可能有些长,请看详细步骤!1 安装jail并构建监狱环境[root@rrd ~]# useradd -g users -d /var/chroot/ -s /usr/bin/jail prisoner[root@rrd ~]# tail /etc/passwdprisoner:x:501:100::/var/chroot/:/usr/bin/jail[root@rrd ~]# wget [root@rrd ~]# tar zxf jail.tar.gz [root@rrd ~]# cd jail/bin[root@rrd bin]# lltotal 20-rwxr-xr-x 1 1002 1002 4726 Apr 2 2004 addjailsw-rwxr-xr-x 1 1002 1002 2578 Apr 2 2004 addjailuserdrwxr-xr-x 2 1002 1002 4096 Apr 2 2004 CVS-rwxr-xr-x 1 1002 1002 2750 Apr 2 2004 mkjailenv[root@rrd bin]# cd ..[root@rrd jail]# cd src/[root@rrd src]# lltotal 68drwxr-xr-x 2 1002 1002 4096 Apr 2 2004 CVS-rw-r–r– 1 1002 1002 5893 Apr 2 2004 generic_helpers.c-rw-r–r– 1 1002 1002 1478 Apr 2 2004 generic_helpers.h-rw-r–r– 1 1002 1002 2111 Apr 2 2004 globals.h-rw-r–r– 1 1002 1002 1260 Apr 2 2004 helpers.h-rw-r–r– 1 1002 1002 13379 Apr 2 2004 jail.c-rw-r–r– 1 1002 1002 1913 Apr 2 2004 Makefile-rw-r–r– 1 1002 1002 3790 Apr 2 2004 passwd_helpers.c-rw-r–r– 1 1002 1002 1396 Apr 2 2004 passwd_helpers.h-rwxr-xr-x 1 1002 1002 1669 Apr 2 2004 preinstall.sh-rw-r–r– 1 1002 1002 3386 Apr 2 2004 terminal_helpers.c-rw-r–r– 1 1002 1002 1304 Apr 2 2004 terminal_helpers.h-rw-r–r– 1 1002 1002 1770 Apr 2 2004 types.h[root@rrd src]# vim Makefile INSTALL_DIR = /tmp/jail##找到这一行,路径改成/usr/local/jail,保存后退出(看个人习惯)[root@rrd src]# mkdir /usr/local/jail[root@rrd src]# make[root@rrd src]# make install[root@rrd src]# /usr/local/jail/bin/mkjailenv /var/chrootmkjailenvA component of Jail (version 1.9 for linux)Juan M. Casillas <juanm.casillas@jmcresearch.com>Making chrooted environment into /var/chroot Doing preinstall() Doing special_devices() Doing gen_template_password() Doing postinstall()Done.[root@rrd src]# ll /var/chroot/##目录下有文件了total 8drwxr-xr-x 2 root root 4096 Aug 31 19:49 devdrwxr-xr-x 2 root root 4096 Aug 31 19:49 etc[root@rrd src]# /usr/local/jail/bin/addjailuser /var/chroot /home/prisoner /bin/bash prisoneraddjailuserA component of Jail (version 1.9 for linux)Juan M. Casillas <juanm.casillas@jmcresearch.com>Adding user prisoner in chrooted environment /var/chrootDone.[root@rrd src]# ll /var/chroot/total 12drwxr-xr-x 2 root root 4096 Aug 31 19:49 devdrwxr-xr-x 2 root root 4096 Aug 31 19:49 etcdrwxr-xr-x 3 root root 4096 Aug 31 19:51 home[root@rrd src]# /usr/local/jail/bin/addjailsw /var/chroot/或[root@rrd src]# /usr/local/jail/bin/addjailsw /var/chroot/ -D或[root@rrd src]# /usr/local/jail/bin/addjailsw /var/chroot/ -P bash “–version”addjailswA component of Jail (version 1.9 for linux)Juan M. Casillas <juanm.casillas@jmcresearch.com>Guessing mv args()Guessing ls args()Guessing ln args()Guessing grep args()Guessing cat args()Guessing rmdir args()Guessing vi args(-c q)Guessing tail args()Guessing sh args()Guessing id args()Guessing rm args()Guessing head args()Guessing cp args()Guessing pwd args()Guessing mkdir args()Guessing touch args()Guessing more args()Warning: can’t create /proc/mounts from the /proc filesystemWarning: can’t create /proc/filesystems from the /proc filesystemWarning: not allowed to overwrite /var/chroot//etc/passwd Warning: not allowed to overwrite /var/chroot//etc/group Warning: can’t create /proc/meminfo from the /proc filesystemDone.[root@rrd chroot]# lltotal 32drwxr-xr-x 2 root root 4096 Aug 31 19:57 bindrwxr-xr-x 2 root root 4096 Aug 31 19:56 devdrwxr-xr-x 3 root root 4096 Aug 31 19:56 etcdrwxr-xr-x 3 root root 4096 Aug 31 19:51 homedrwxr-xr-x 2 root root 4096 Aug 31 19:56 lib64drwsrwxrwx 2 root root 4096 Aug 31 19:57 tmpdrwxr-xr-x 6 root root 4096 Aug 31 19:56 usrdrwxr-xr-x 3 root root 4096 Aug 31 19:57 var[root@rrd chroot]# mkdir /var/chroot/lib[root@rrd chroot]# cp /lib/ld-linux.so.2 /var/chroot/lib/[root@rrd chroot]# ll lib64/total 2508-rwxr-xr-x 1 root root 27920 Aug 31 19:56 libacl.so.1-rwxr-xr-x 1 root root 17888 Aug 31 19:56 libattr.so.1-rwxr-xr-x 1 root root 1717800 Aug 31 19:57 libc.so.6-rwxr-xr-x 1 root root 23360 Aug 31 19:57 libdl.so.2-rwxr-xr-x 1 root root 53880 Aug 31 19:56 libnss_files.so.2-rwxr-xr-x 1 root root 117680 Aug 31 19:56 libpcre.so.0-rwxr-xr-x 1 root root 145824 Aug 31 19:56 libpthread.so.0-rwxr-xr-x 1 root root 53448 Aug 31 19:56 librt.so.1-rwxr-xr-x 1 root root 95464 Aug 31 19:56 libselinux.so.1-rwxr-xr-x 1 root root 247496 Aug 31 19:56 libsepol.so.1-rwxr-xr-x 1 root root 15584 Aug 31 19:57 libtermcap.so.2[root@rrd chroot]# cp /lib64/ld-linux-x86-64.so.2 /var/chroot/lib64/[root@rrd chroot]# mkdir /var/chroot/etc/bash[root@rrd chroot]# cp /etc/bashrc /var/chroot/etc/bash/[root@rrd chroot]# cp /etc/profile /var/chroot/etc/[root@rrd chroot]# cp /etc/DIR_COLORS /var/chroot/etc/[root@rrd chroot]# /usr/local/jail/bin/addjailsw /var/chroot/ -P whoamiaddjailswA component of Jail (version 1.9 for linux)Juan M. Casillas <juanm.casillas@jmcresearch.com>Guessing whoami args(0)Warning: file /var/chroot//lib64/libc.so.6 exists. Overwritting itWarning: file /var/chroot//etc/ld.so.cache exists. Overwritting itWarning: file /var/chroot//usr/lib/locale/locale-archive exists. Overwritting itWarning: file /var/chroot//usr/share/locale/locale.alias exists. Overwritting itDone.如果在chroot环境中可以访问的IP地址,但没有域名(“名称或服务不知道”):[root@rrd chroot]# cp -a /lib/libnss_dns* /lib/libresolv* /var/chroot/lib/64架构的[root@rrd chroot]# cp -a /lib64/libnss_dns* /lib64/libresolv* /var/chroot/lib64/[root@rrd chroot]# lltotal 36drwxr-xr-x 2 root root 4096 Aug 31 19:57 bindrwxr-xr-x 2 root root 4096 Aug 31 19:56 devdrwxr-xr-x 4 root root 4096 Aug 31 20:06 etcdrwxr-xr-x 3 root root 4096 Aug 31 19:51 homedrwxr-xr-x 2 root root 4096 Aug 31 20:26 libdrwxr-xr-x 2 root root 4096 Aug 31 20:27 lib64drwsrwxrwx 2 root root 4096 Aug 31 20:07 tmpdrwxr-xr-x 6 root root 4096 Aug 31 19:56 usrdrwxr-xr-x 3 root root 4096 Aug 31 20:07 var[root@rrd chroot]# ll dev/total 0crw-rw-rw- 1 root root 1, 3 Aug 31 19:49 nullcrw-rw-rw- 1 root tty 5, 0 Aug 31 19:56 ttycr–r–r– 1 root root 1, 9 Aug 31 19:49 urandomcrw-rw-rw- 1 root root 1, 5 Aug 31 19:49 zero[root@rrd chroot]# mount -o bind /dev/ /var/chroot/dev/[root@rrd chroot]# ll dev/##会列出很多文件,就不贴出来了[root@rrd chroot]# mount -t devpts none /var/chroot/dev/pts[root@rrd chroot]# mkdir /var/chroot/proc
切忌贪婪,恨不得一次玩遍所有传说中的好景点,
