创建与主系统分离的独立的运行环境

Read

chroot命令的主要作用是提供一个隔离的环境，使得在该环境下运行的进程无法访问到主系统的文件和目录。这样可以增加系统的安全性，防止进程对系统进行非法操作或者破坏。

一、基础环境

$ uname -a
Linux hk 5.14.0-514.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 30 14:56:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
$ uname -r
5.14.0-514.el9.x86_64
$ uname -m
x86_64

$ uname -a

Linux hk 5.14.0-514.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Sep 30 14:56:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

$ uname -r

5.14.0-514.el9.x86_64

$ uname -m

x86_64

SourceByrd's Weblog-https://note.t4x.org/environment/linux-env-chroot/

二、创建账号

$ useradd developer
$ echo '123456' | passwd --stdin developer

0 1	$ useradd developer $ echo '123456' \| passwd --stdin developer

SourceByrd's Weblog-https://note.t4x.org/environment/linux-env-chroot/

三、配置SSHD

$ echo 'Match User developer' >> /etc/ssh/sshd_config
$ echo 'ChrootDirectory /data/chroot' >> /etc/ssh/sshd_config
$ sed -i 's/^Subsystem.*$/Subsystem sftp internal-sftp/' /etc/ssh/sshd_config
$ systemctl restart sshd

$ echo 'Match User developer' >> /etc/ssh/sshd_config

$ echo 'ChrootDirectory /data/chroot' >> /etc/ssh/sshd_config

$ sed -i 's/^Subsystem.*$/Subsystem sftp internal-sftp/' /etc/ssh/sshd_config

$ systemctl restart sshd

SourceByrd's Weblog-https://note.t4x.org/environment/linux-env-chroot/

四、权限配置

VIP内容

VIP登录后查看

五、bug fix

$ \cp /etc/bashrc /data/chroot/etc/
$ chmod 1777 /data/chroot/tmp

0 1	$ \cp /etc/bashrc /data/chroot/etc/ $ chmod 1777 /data/chroot/tmp

SourceByrd's Weblog-https://note.t4x.org/environment/linux-env-chroot/

六、其他说明

①　查找命令在系统中的实际位置，并拷贝到bin或者sbin目录下【指的是copy到chroot的bin或者sbin目录】
②　用ldd命令查找出命令运行时所依赖的共享包
③　把这些共享包拷贝到lib64下
4️⃣　下面的示例参考：

cd /data/chroot/bin \cp /usr/bin/ls . chroot=/data/chroot ldd /usr/bin/ls for i in `ldd /usr/bin/ls | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/bin/ls | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done \cp /usr/sbin/ping . \cp /usr/sbin/arp /data/chroot/bin/ \cp /usr/sbin/ip /data/chroot/bin/ \cp /usr/bin/netstat /data/chroot/bin/ \cp /usr/sbin/route /data/chroot/bin/ \cp /usr/sbin/ifconfig /data/chroot/bin/ \cp /usr/bin/echo /data/chroot/bin/ ldd /usr/sbin/ping for i in `ldd /usr/sbin/ping | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/sbin/ping | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done chroot=/data/chroot ldd /usr/sbin/arp for i in `ldd /usr/sbin/arp | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/sbin/arp | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done chroot=/data/chroot ldd /usr/bin/netstat for i in `ldd /usr/bin/netstat | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/bin/netstat | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done chroot=/data/chroot ldd /usr/sbin/ip for i in `ldd /usr/sbin/ip | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/sbin/ip | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done chroot=/data/chroot ldd /usr/sbin/route for i in `ldd /usr/sbin/route | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/sbin/route | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done chroot=/data/chroot ldd /usr/sbin/ifconfig for i in `ldd /usr/sbin/ifconfig | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/sbin/ifconfig | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done chroot=/data/chroot \cp /usr/bin/curl /data/chroot/bin ldd /usr/bin/curl for i in `ldd /usr/bin/curl | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done for i in `ldd /usr/bin/curl | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done \cp -ap /etc/pki/ /data/chroot/etc/

0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

cd /data/chroot/bin
\cp /usr/bin/ls .
chroot=/data/chroot
ldd /usr/bin/ls
for i in `ldd /usr/bin/ls | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/bin/ls | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
\cp /usr/sbin/ping .
\cp /usr/sbin/arp /data/chroot/bin/
\cp /usr/sbin/ip /data/chroot/bin/
\cp /usr/bin/netstat /data/chroot/bin/
\cp /usr/sbin/route /data/chroot/bin/
\cp /usr/sbin/ifconfig /data/chroot/bin/
\cp /usr/bin/echo /data/chroot/bin/
ldd /usr/sbin/ping
for i in `ldd /usr/sbin/ping | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/sbin/ping | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
chroot=/data/chroot
ldd /usr/sbin/arp
for i in `ldd /usr/sbin/arp | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/sbin/arp | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
chroot=/data/chroot
ldd /usr/bin/netstat
for i in `ldd /usr/bin/netstat | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/bin/netstat | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
chroot=/data/chroot
ldd /usr/sbin/ip
for i in `ldd /usr/sbin/ip | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/sbin/ip | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
chroot=/data/chroot
ldd /usr/sbin/route
for i in `ldd /usr/sbin/route | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/sbin/route | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
chroot=/data/chroot
ldd /usr/sbin/ifconfig
for i in `ldd /usr/sbin/ifconfig | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/sbin/ifconfig | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
chroot=/data/chroot
\cp /usr/bin/curl /data/chroot/bin
ldd /usr/bin/curl
for i in `ldd /usr/bin/curl | awk '{print $3}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
for i in `ldd /usr/bin/curl | awk '{print $1}'| grep '^/lib'`;do \cp -v $i $chroot/lib64/;done
\cp -ap /etc/pki/ /data/chroot/etc/

SourceByrd's Weblog-https://note.t4x.org/environment/linux-env-chroot/