ºìÁªLinuxÃÅ»§
Linux°ïÖú
µ±Ç°Î»ÖÃ: ºìÁªLinuxÃÅ»§ > LinuxWorld China

Linux/Unix£ºchrootÃüÁîʵÀý½²½â

·¢²¼Ê±¼ä:2014-05-31 11:56:20À´Ô´:ºìÁª×÷Õß:velcbo
À´Ô´£ºLinuxÖйú

ÎÒÊÇÒ»¸ö¸Õ½Ó´¥ Linux ºÍ Unix µÄÐÂÊÖ¡£ÎÒ¸ÃÈçºÎ¸Ä±äÒ»¸öÃüÁîµÄ¸ùĿ¼£¿ÎÒÒªÔõÑù¸Ä±äÒ»¸ö½ø³ÌµÄ¸ùĿ¼ÄØ£¬±ÈÈçÓà chroot ÃüÁweb·þÎñÓëÎļþϵͳ¸ôÀ룿ÎÒÒªÈçºÎʹÓà chroot »Ö¸´ÃÜÂë»òÐÞ¸´»ùÓÚ Linux/UnixµÄÊÜË𻵵Ļ·¾³£¿

ÔÚ LinuxºÍÀà Unix ϵͳÏÂÿһ¸ö½ø³Ì/ÃüÁîµÄµ±Ç°¹¤×÷Ŀ¼³Æ֮Ϊ½ø³Ì/ÃüÁîµÄ¸ùĿ¼£¨Òë×¢£ºÒëÕßÒÔΪ´Ë´¦ÓÐÎó£¬Êµ¼ÊÉÏûÓнøÐйýchrootµÄ½ø³Ì£¬Æä¸ùĿ¼ÊÇϵͳµÄ¸ùĿ¼£¬¶ø²»ÊÇÆ乤×÷Ŀ¼£©¡£Äã¿ÉÒÔʹÓà chroot ÃüÁî¸Ä±äÒ»¸öÃüÁîµÄ¸ùĿ¼£¬Õâ×îÖÕ½«»á¸Ä±äµ±Ç°ÔËÐеĽø³Ì¼°Æä×Ó½ø³ÌµÄ¸ùĿ¼¡£

Èç¹ûÒ»¸ö½ø³Ì/ÃüÁîÔËÐÐÔÚÒ»¸ö²»ÄÜ·ÃÎÊÍⲿ¸ùĿ¼ÎļþµÄÒÑÐ޸Ļ·¾³ÖС£ÕâÖÖÐ޸Ļ·¾³Í¨³£±»³ÆΪ"¼à½ûĿ¼"£¨jail£©»òÊÇ"chroot ¼à½û"¡£Ö»ÓÐÌØȨ½ø³ÌºÍ¸ùÓû§²ÅÄÜʹÓà chroot ÃüÁȻ¶øÕâͨ³£ÊǺÜÓÐÓõģº
1.½«ÌØȨ·ÖÅä¸øÎÞÌØȨµÄ½ø³Ì£¬ÀýÈç Web ·þÎñ»ò DNS ·þÎñ¡£
2.½¨Á¢²âÊÔ»·¾³¡£
3.²»Ê¹³ÌÐò»òϵͳ±ÀÀ£Ï£¬ÔËÐоɳÌÐò»ò ABI ¼æÈݵijÌÐò¡£
4.ϵͳ»Ö¸´¡£
5.ÖØа²×°Òýµ¼×°ÔسÌÐò£¬ÀýÈç Grub »ò Lilo¡£
6.ÃÜÂëÕһأ¬ÖØÖÃÒ»¸öÒѶªÊ§µÄÃÜÂëµÈ¡£

ÓÃ;

chroot ÃüÁî ¸Ä±äÆ䵱ǰĿ¼£¬²¢½«¸ùĿ¼±äΪָ¶¨Ä¿Â¼,È»ºóÈç¹ûÌṩÁËÃüÁîÔòÔËÐÐÃüÁҲ¿ÉÒÔÔËÐÐÒ»¸öÓû§µÄ½»»¥Ê½shellµÄ¸±±¾£¨Òë×¢£º¼´bashµÈ¡££©¡£Çë×¢Òâ²¢²»ÊÇÿһ¸ö³ÌÐò¶¼¿ÉÒÔʹÓà chroot ÃüÁî¡£

Óï·¨

»ù±¾Óï·¨ÈçÏ£º
1.chroot /path/to/new/root command

»òÕß
1.chroot /path/to/new/root /path/to/server

»òÕß
1.chroot [options]/path/to/new/root /path/to/server

chroot ÃüÁîʵÀý

ÔÚÕâ¸öÀý×ÓÖУ¬½¨Á¢ÁËÒ»¸ö"ÃÔÄã¼àÓü"ÓÃÀ´²âÊÔÒ»¸öÖ»ÓÐ ls ÃüÁîµÄ Bash shell¡£Ê×ÏÈÓà mkdir ÃüÁîÉ趨ºÃ jail "¼àÓü" ·¾¶¡£
1.$ J=$HOME/jail

ÔÚ $J ÄÚ´´½¨Ä¿Â¼£º
1.$ mkdir -p $J
2.$ mkdir -p $J/{bin,lib64,lib}
3.$ cd $J

ÓÃcp ÃüÁ/bin/bash ºÍ /bin/ls ¸´ÖƵ½ $J/bin/ ·¾¶Ï£º
1.$ cp -v /bin/{bash,ls} $J/bin

½«ËùÐè¿âÎļþ¿½±´µ½$J¡£¿ÉÒÔÓà ldd ÃüÁîÕÒµ½ bash ËùÒÀÀµµÄ¹²Ïí¿â¡£
1.$ ldd /bin/bash

Êä³öÑùÀý£º
1.linux-vdso.so.1=>(0x00007fff8d987000)
2.libtinfo.so.5=>/lib64/libtinfo.so.5(0x00000032f7a00000)
3.libdl.so.2=>/lib64/libdl.so.2(0x00000032f6e00000)
4.libc.so.6=>/lib64/libc.so.6(0x00000032f7200000)
5./lib64/ld-linux-x86-64.so.2(0x00000032f6a00000)

Ö±½Ó¿½±´ÉÏÃæÊä³öÖеĿâÎļþµ½ $J Ŀ¼£º
1.$ cp -v /lib64/libtinfo.so.5/lib64/libdl.so.2/lib64/libc.so.6/lib64/ld-linux-x86-64.so.2 $J/lib64/

Êä³öÑùÀý£º
1.`/lib64/libtinfo.so.5' -> `/home/vivek/jail/lib64/libtinfo.so.5'
2.`/lib64/libdl.so.2'->`/home/vivek/jail/lib64/libdl.so.2'
3.`/lib64/libc.so.6' -> `/home/vivek/jail/lib64/libc.so.6'
4.`/lib64/ld-linux-x86-64.so.2' -> `/home/vivek/jail/lib64/ld-linux-x86-64.so.2'

¸´ÖÆ ls ÃüÁîËùÐèµÄ¿âÎļþµ½ $J Ŀ¼Ï¡£Óà ldd ÃüÁî´òÓ¡³ö ls ÃüÁîÒÀÀµµÄ¹²Ïí¿â£º
1.$ ldd /bin/ls

Êä³öÑùÀý£º
1.linux-vdso.so.1=>(0x00007fff68dff000)
2.libselinux.so.1=>/lib64/libselinux.so.1(0x00000032f8a00000)
3.librt.so.1=>/lib64/librt.so.1(0x00000032f7a00000)
4.libcap.so.2=>/lib64/libcap.so.2(0x00000032fda00000)
5.libacl.so.1=>/lib64/libacl.so.1(0x00000032fbe00000)
6.libc.so.6=>/lib64/libc.so.6(0x00000032f7200000)
7.libdl.so.2=>/lib64/libdl.so.2(0x00000032f6e00000)
8./lib64/ld-linux-x86-64.so.2(0x00000032f6a00000)
9.libpthread.so.0=>/lib64/libpthread.so.0(0x00000032f7600000)
10.libattr.so.1=>/lib64/libattr.so.1(0x00000032f9600000)

Äã¿ÉÒÔÒ»¸ö¸öµÄ¸´ÖÆ¿âÎļþ£¬ÎªÁ˸ü¸ßЧµÄ×÷Òµ£¬ÎÒÃÇÒ²¿ÉÒÔʹÓÃbash shell µÄÑ­»·Ö¸ÁîʵÏÖ£º
1.list="$(ldd /bin/ls | egrep -o '/lib.*\.[0-9]')"
2.for i in $list;do cp -v "$i""${J}${i}";done

Êä³öÑùÀý£º
1.`/lib64/libselinux.so.1' -> `/home/vivek/jail/lib64/libselinux.so.1'
2.`/lib64/librt.so.1'->`/home/vivek/jail/lib64/librt.so.1'
3.`/lib64/libcap.so.2' -> `/home/vivek/jail/lib64/libcap.so.2'
4.`/lib64/libacl.so.1' -> `/home/vivek/jail/lib64/libacl.so.1'
5.`/lib64/libc.so.6'->`/home/vivek/jail/lib64/libc.so.6'
6.`/lib64/libdl.so.2' -> `/home/vivek/jail/lib64/libdl.so.2'
7.`/lib64/ld-linux-x86-64.so.2' -> `/home/vivek/jail/lib64/ld-linux-x86-64.so.2'
8.`/lib64/libpthread.so.0'->`/home/vivek/jail/lib64/libpthread.so.0'
9.`/lib64/libattr.so.1' -> `/home/vivek/jail/lib64/libattr.so.1'

×îºó£¬chroot µ½ÄãµÄÐÂjail£º
1.$ sudo chroot $J /bin/bash

³¢ÊÔä¯ÀÀһϠ/etc »ò /var£º
1.# ls /
2.# ls /etc/
3.# ls /var/

¸Ä±äÁ˸ùĿ¼µÄ bash ºÍ ls ³ÌÐòÏÖÔÚ±»¼à½ûÔÚ$HOME/$JÕâ¸öÌØÊâĿ¼ÖУ¬¶øÇÒ²»ÄÜÔÙ·ÃÎÊÍⲿµÄĿ¼Ê÷£¬Õâ¸öĿ¼¿ÉÒÔ¿´×öÊÇËüÃǵÄ"/"(root)Ŀ¼¡£Èç¹ûÅäÖÃÕýÈ·µÄ»°,Õâ»á¼«´óÔöÇ¿°²È«ÐÔ¡£ÎÒͨ³£ÓÃÕâÖÖ¼¼ÊõËø¶¨ÒÔϵÄÓ¦ÓóÌÐò¡£
1.Apache - Red Hat / CentOS: Chroot Apache 2 Web Server
2.Nginx - Linux nginx: Chroot (Jail) Setup
3.Chroot Lighttpd web server on a Linux based system
4.Chroot mail server.
5.Chroot Bind DNS server µÈµÈ

ÈçºÎÍ˳ö chroot ¼à½ûÄØ£¿

¼üÈë exit ¼´¿É
1.$ exit

Gif ¶¯»­01: Linux / Unix: Bash Chroot ls ÃüÁîÑÝʾ

²éÕÒ·þÎñÊÇ·ñ´æÔÚÓÚ chrooted ¼à½ûÄÚ

Äã¿ÉÒÔÓÃÏÂÃæÁ½¸öÃüÁî[ÇáËɵÄÕÒ³ö Postfix Óʼþ·þÎñÊÇ·ñÒѾ­ chrooted]£º
1.pid=$(pidof -s master)
2.ls -ld /proc/$pid/root

´Ó»ù±¾Linux·þÎñÖÐÊä³öÑùÀý£º
1.lrwxrwxrwx.1 root root 0Mar911:16/proc/8613/root ->/

PID 8613 Ö¸ÏòÁË / (root) Ò²¾ÍÊÇ˵Õâ¸ö³ÌÐòµÄ¸ùĿ¼²¢Ã»Óб»¸Ä±ä»òÊDZ» chroot¡£Õâ¸ö·½·¨·Ç³£µÄ¿ìËÙ¶øÓÖÖ±½Ó£¬²»ÐèÒª´ò¿ªÅäÖÃÎļþ¡£ÏÂÃæÊÇ´ÓÒѾ­ chroot µÄ ngnix ·þÎñÖеõ½µÄÁíÒ»¸öÀý×Ó£º
1.pid=$(pidof -s master)
2.ls -ld /proc/$pid/root

Êä³öÑùÀý£º
1.lrwxrwxrwx 1 nginx nginx 0Mar911:17/proc/4233/root ->/nginxjail

³ÌÐòµÄ¸ùĿ¼ÒѾ­¸ÄΪ /nginxjail¡£
ÎÄÕÂÆÀÂÛ

¹²ÓÐ 0 ÌõÆÀÂÛ

ƵµÀÎÄÕÂ

×îн̳Ì

Ëæ»úÍƼö

¹ØÓÚÎÒÃÇ | ºÏ×÷ | ÁªÏµÎÒÃÇ

© linuxdiyf.com ºìÁªLinuxÃÅ»§ °æȨËùÓÐ