Skip to content


用scponly创建一个chroot环境的sftp

使用scponly可以使用户只能运行scp / sftp等命令,与rsync、subversion、gftp兼容,对winscp这个open source for Windows的client端支持很好.

scponly官网
http://sublimation.org/scponly/

服务器为as4
#wget http://nchc.dl.sourceforge.net/sourceforge/scponly/scponly-4.8.tgz
#tar zxvf scponly-4.8.tgz
#cd scponly-4.8
#./configure –prefix=/usr/local/scponly –enable-chrooted-binary –enable-winscp-compat –enable-sftp-logging-compat –enable-scp-compat –enable-rsync-compat –enable-passwd-compat
#make
#make install
#echo /usr/local/scponly/sbin/scponlyc >> /etc/shells
#make jail

/usr/bin/install -c -d /usr/local/scponly/bin
/usr/bin/install -c -d /usr/local/scponly/man/man8
/usr/bin/install -c -d /usr/local/scponly/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/scponly/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/scponly/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/scponly/etc/scponly/debuglevel
if test “xscponlyc” != “x”; then                        \
        /usr/bin/install -c -d /usr/local/scponly/sbin;              \
        rm -f /usr/local/scponly/sbin/scponlyc;                 \
        cp scponly scponlyc;                            \
        /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/scponly/sbin/scponlyc;      \
fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh
 
Next we need to set the home directory for this scponly user.
please note that the user’s home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
 
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
 
Username to install [scponly]larry
home directory you wish to set for this user [/home/larry]
name of the writeable subdirectory [incoming]incoming
ldconfig: /usr/lib/libmcrypt.so.4 is not a symbolic link
 
 
creating  /home/larry/incoming directory for uploading files
 
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
 – joe at sublimation dot org
 
please set the password for larry:
Changing password for user larry.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
Sorry, passwords do not match
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /home/larry/bin/groups

#ll /home/larry/
drwxr-xr-x  2 root  root  4096 11月 10 11:23 bin
drwxr-xr-x  2 root  root  4096 11月 10 11:23 etc
drwxr-xr-x  2 larry larry 4096 11月 10 11:26 incoming
drwxr-xr-x  3 root  root  4096 11月 10 11:23 lib
drwxr-xr-x  5 root  root  4096 11月 10 11:23 usr

larry用户登录后只能在incoming目录里传东西

创建新用户需在编辑目录里执行setup_chroot.sh
#./setup_chroot.sh

#mkdir /home/larry/dev
#cp -a /dev/null /home/larry/dev/
64位系统
# mkdir /home/larry/lib64
# cp /lib64/ld-linux-x86-64.so.2 /home/larry/lib64/

参考:http://bbs.chinaunix.net/viewthread.php?tid=785820
http://hi.baidu.com/fengzhenjie/blog/item/2a4b1e7fe072ba0e29388a66.html

Posted in linux 维护优化, 安全, 技术.

Tagged with , .


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.