Chroot系统

警告
本文最后更新于 2021-04-21,文中内容可能已过时。

chroot系统

正常来说针对于文件共享的sftp应该是以用户为单位来做的,但这儿我却用的是组,这个其实是我测试用用户来做从来没有成功过,只能被迫用组

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/bash
################################################# 
#   author      0x5c0f 
#   date        2020-12-04 
#   email       mail@0x5c0f.cc 
#   web         blog.0x5c0f.cc
#   version     1.0.0
#   last update 2021-04-21
#   descript    Use : ./chroot.init.sh
################################################# 

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH

# 用于在linux之间替代nfs系统 

# chroot 系统根目录 
CHROOTHOME="/chroot_sftp" 


# sshfs 
# 用户配置
SSHFSUID="1050"
SSHFSUSER="sshfs"
SSHFSROOT="/home/${SSHFSUSER}"

# sshfs chroot 映射目录
SSHFSCHROOTDIR="${CHROOTHOME}/sshfsdir"
# sshfs 本地共享目录
SSHFSLOCALSHARE="/mnt/sshfsdir"


function init_chroot(){
    test ! -d ${CHROOTHOME} && {
        mkdir -p ${CHROOTHOME}/{bin,usr,etc,lib64,home,dev,data}  

        mknod -m 666 ${CHROOTHOME}/dev/null c 1 3  
        mknod -m 666 ${CHROOTHOME}/dev/tty c 5 0  
        mknod -m 666 ${CHROOTHOME}/dev/zero c 1 5  
        mknod -m 666 ${CHROOTHOME}/dev/random c 1 8  

        chmod o+t ${CHROOTHOME}/dev/null ${CHROOTHOME}/dev/tty ${CHROOTHOME}/dev/zero ${CHROOTHOME}/dev/random  

        cd ${CHROOTHOME}/usr  
        ln -sf ../bin ./bin  
        ln -sf ../lib64 ./lib64  

        cp -p /bin/ls /bin/cat /bin/rm /bin/echo /bin/false /bin/touch /bin/vi /bin/mkdir  ${CHROOTHOME}/bin/  

        for i in /bin/{ls,cat,echo,rm,false,touch,vi,mkdir}; do  
            list=$(ldd ${i} | egrep -o '/lib.*\.[0-9]') 

            for _so in $list; do 
                /bin/cp -v ${_so} ${CHROOTHOME}${_so} 
            done
        done  
    }
}

function config_sshd(){

    cat >> /etc/ssh/sshd_config <<EOE
Match $1  $2
    ChrootDirectory  $3
    ForceCommand internal-sftp -l INFO -f AUTH
    X11Forwarding no
    AllowTcpForwarding no
    PasswordAuthentication no

EOE

systemctl restart sshd
}

# 配置systemd管理模块
# $0 文件名 绑定目录 绑定目标目录 是否只读(默认为空: 读写)
# mount -o bind${4:+,ro} 绑定目录 绑定目标目录
function config_systemd(){
    cat > /etc/systemd/system/$1 <<EOF
# Automatically generated by systemd-fstab-generator

[Unit]
SourcePath=/etc/fstab
Documentation=man:fstab(5) man:systemd-fstab-generator(8)
Before=local-fs.target

[Mount]
What=${2}
Where=${3}
Type=none
Options=defaults,bind${4:+,ro}

[Install]
WantedBy=multi-user.target

EOF

    systemctl daemon-reload 
    systemctl enable --now $1
}

# 初始化sftp可用组
function init_sshfs(){

    # 初始sshd配置
    config_sshd "User" $SSHFSUSER $SSHFSCHROOTDIR

    # 创建sshfs共享用户
    useradd -u ${SSHFSUID} -m -k $(mktemp -d) -d ${SSHFSROOT} -s /bin/false ${SSHFSUSER}

    # 创建远程登陆密钥 
    su - ${SSHFSUSER} -s /bin/bash -c "ssh-keygen -f ~/.ssh/id_rsa -t rsa -b 4096 -N ''"  
    su - ${SSHFSUSER} -s /bin/bash -c "cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

    # 创建chroot sshfs共享目录 
    mkdir -p ${CHROOTHOME}${SSHFSROOT}

    # 绑定目录主目录
    # mount -o ro,bind ${SSHFSROOT} ${CHROOTHOME}${SSHFSROOT}
    # fstab
    # cat >> /etc/fstab <<EOF
    # ${SSHFSROOT} ${CHROOTHOME}${SSHFSROOT} none defaults,ro,bind 0 0
    # EOF

    SYSTEMDFNAME="${CHROOTHOME#/}${SSHFSROOT//\//-}.mount"

    # 配置用户帐号映射
    config_systemd "${SYSTEMDFNAME}" "${SSHFSROOT}" "${CHROOTHOME}${SSHFSROOT}" 1

    # 配置sshfs目录映射 
    test ! -d ${SSHFSCHROOTDIR} && {
        mkdir -p $SSHFSCHROOTDIR
    }

    test ! -d $SSHFSLOCALSHARE && {
        mkdir -p $SSHFSLOCALSHARE
    }

    echo "sshfs 共享目录 " > $SSHFSLOCALSHARE/readme.md
    
    TSSHFSCHROOTDIR=${SSHFSCHROOTDIR#/}
    config_systemd "${TSSHFSCHROOTDIR//\//-}.mount" "${SSHFSLOCALSHARE}" "${SSHFSCHROOTDIR}"

    # cat ${SSHFSROOT}/.ssh/id_rsa

}


init_chroot

# sshfs 
init_sshfs
1
2
3
4
5
6
7
# 开机启动项
$> vim /etc/fstab
sshfsdir@10.0.2.30:/node21 /data/backup fuse.sshfs auto,reconnect,_netdev,user,idmap=user,identityfile=/etc/.ssh/sshfsdir,allow_other,default_permissions,uid=1002,gid=1002 0 0

# zabbix 监控 
$> vim /opt/zabbix-agentd/etc/zabbix_agentd.conf.d/sshfs_status.conf 
UserParameter=sshfs_status,/bin/systemctl is-active data-ltbstore.mount >& /dev/null && echo 0 || echo 1