Shulou(Shulou.com)06/01 Report--

This article is to share with you about how to use Jailkit to manage users in Linux. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

Install jailkit

The code is as follows:

Cd / tmp

Wget http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz

Tar xzf jailkit-2.16.tar.gz

Cd jailkit-2.16

. / configure

Make

Make install

Cp extra/jailkit / etc/init.d/jailkit

Chmod uplix / etc/init.d/jailkit

Chkconfig jailkit on

Initialize the chroot environment

The code is as follows:

Jk_init-v-j / home/chroot sftp scp jk_lsh netutils extendedshell

Service jailkit start

Configure Jailed Shell

Configure a restricted environment:

We need to create a directory to store the configuration of all restricted environments. Put the directory anywhere, for example, we can create a / opt/jail directory.

The code is as follows:

$sudo mkdir / opt/jail

This directory should be owned by Root. Change the owner with chown.

The code is as follows:

$sudo chown root:root / opt/jail

Set up programs available in a restricted environment

Any program that wants to be executed in a restricted environment must be copied to a directory using the jk_init command.

For example:

The code is as follows:

$sudo jk_init-v / jail basicshell

$sudo jk_init-v / jail editors

$sudo jk_init-v / jail extendedshell

$sudo jk_init-v / jail netutils

$sudo jk_init-v / jail ssh

$sudo jk_init-v / jail sftp

$sudo jk_init-v / jail jk_lsh

Or solve it all at once:

The code is as follows:

$sudo jk_init-v / opt/jail netutils basicshell jk_lsh openvpn ssh sftp

Groups like basicshell, editors, and netutils are group names that contain multiple programs. Each group copied into jail shell is a collection of executable files, library files, and so on. For example, basicshell provides bash, ls, cat, chmod, mkdir, cp, cpio, date, dd, echo, egrep and other programs in jail.

Complete program list settings, which you can see in / etc/jailkit/jk_init.ini.

The code is as follows:

Jk_lsh (Jailkit limited shell)-this is an important part that must be added to a restricted environment.

Create a user who will be imprisoned

You need to put a user into jail. You can create one first.

The code is as follows:

$sudo adduser robber

Adding user `robber'...

Adding new group `robber' (1005)...

Adding new user `robber' (1006) with group `robber'...

Creating home directory `/ home/robber'...

Copying files from `/ etc/skel'...

Enter new UNIX password:

Retype new UNIX password:

Passwd: password updated successfully

Changing the user information for robber

Enter the new value, or press ENTER for the default

Full Name []:

Room Number []:

Work Phone []:

Home Phone []:

Other []:

Is the information correct? [Y/n] y

Note: an ordinary user in the actual file system is currently created and has not been added to the restricted environment.

In the next step, the user will be placed in a restricted environment.

At this point, if you look at the / etc/passwd file, you will see an entry similar to the following at the end of the file.

The code is as follows:

Robber:x:1006:1005:,:/home/robber:/bin/bash

This is our newly created user, and the / bin/bash in the last part indicates that if the user logs in, it can have normal Shell access on the system.

Restrict users

Now is the time to restrict users

The code is as follows:

$sudo jk_jailuser-m-j / opt/jail/ robber

After executing the above command, the user robber will be restricted.

If you look at the / etc/passwd file now, you will find an entry similar to the last entry below.

The code is as follows:

Robber:x:1006:1005:,:/opt/jail/./home/robber:/usr/sbin/jk_chrootsh

Note: the last two sections indicate that the user's home directory and shell type have been changed. The user's home directory is now in / opt/jail (restricted environment). The user's Shell is a special program called jk_chrootsh that provides Jailed Shell.

Jk_chrootsh this is a special shell that puts users in a restricted environment every time they log in to the system.

So far, the restricted configuration is almost complete. But if you try to connect with ssh, you are doomed to fail, like this:

The code is as follows:

$ssh robber@localhost

Robber@localhost's password:

Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86x64)

* Documentation: https://help.ubuntu.com/

13 packages can be updated.

0 updates are security updates.

* / dev/sda7 will be checked for errors at next reboot * *

* / dev/sda8 will be checked for errors at next reboot * *

Last login: Sat Jun 23 12:45:13 2012 from localhost

Connection to localhost closed.

$

The connection closes immediately, which means that the user is already active in a restricted shell.

Give Bash Shell to users in jail

The next important thing is to give the user a correct bash shell in a restricted environment.

Open the following file

/ opt/jail/etc/passwd

This is a password file in jail. Similar to the following

The code is as follows:

Root:x:0:0:root:/root:/bin/bash

Robber:x:1006:1005:,:/home/robber:/usr/sbin/jk_lsh

Change / usr/sbin/jk_lsh to / bin/bash

The code is as follows:

Root:x:0:0:root:/root:/bin/bash

Robber:x:1006:1005:,:/home/robber:/bin/bash

Save the file and exit.

Login restricted environment

Now let's log in to the restricted environment again.

The code is as follows:

$ssh robber@localhost

Robber@localhost's password:

Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-25-generic x86x64)

* Documentation: https://help.ubuntu.com/

13 packages can be updated.

0 updates are security updates.

* / dev/sda7 will be checked for errors at next reboot * *

* / dev/sda8 will be checked for errors at next reboot * *

Last login: Sat Jun 23 12:46:01 2012 from localhost

Bash: groups: command not found

I have no nameplate desktoprime $

The restricted environment says'I have no nameplate', . Now we have a fully functional bash shell in a restricted environment.

Now look at the actual environment. The root directory in a restricted environment is actually / opt/jail in the real file system. But only we know this, and the restricted users don't know about it.

The code is as follows:

I have no nameplate desktoprime $cd /

I have no nameplate desktopblol bank $ls

Bin dev etc home lib lib64 run usr var

I have no nameplates desktoppurpura $

Only commands that we copy to jail through jk_cp can be used.

If login fails, please check the error message for / var/log/auth.log.

Now try running some network commands, similar to wget commands.

The code is as follows:

$wget http://www.google.com/

If you get a similar error prompt:

The code is as follows:

$wget http://www.google.com/

-- 2012-06-23 12-12-14-12-14-12-14-12-14-12-14-12-14-12-14-12-14-12-14-12-14-12-14-12-14-12-14-14-14-22-2012-06-23 12-14-56-43-14-14-28-2012-06-23 12-12-14 14-12 14-14 14-12 14 14

Resolving www.google.com (www.google.com)... Failed: Name or service not known.

Wget: unable to resolve host address `www.google.com'

You can solve this problem by running the following two commands:

The code is as follows:

$sudo jk_cp-v-j / opt/jail / lib/x86_64-linux-gnu/libnss_files.so.2

$sudo jk_cp-v-j / opt/jail / lib/x86_64-linux-gnu/libnss_dns.so.2

Only in this way can we correctly locate libnssfiles.so and libnssdns.so.

Run a program or service in a restricted environment

Now the configuration is complete. Programs or services can be run in a restricted / secure environment. To start a program or daemon in a restricted environment, use the jk_chrootlaunch command.

The code is as follows:

$sudo jk_chrootlaunch-j / opt/jail-u robber-x / some/command/in/jail

The jk_chrootlaunch tool can start a special process in a restricted environment while specifying user privileges. If the daemon fails to start, check the / var/log/syslog/ error message.

The above is how to use Jailkit to manage users in Linux. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.