使用scponly可以使用户只能运行scp / sftp等命令,与rsync、subversion、gftp兼容,对winscp这个open source for Windows的client端支持很好.
scponly官网 http://sublimation.org/scponly/
服务器为as4 #wget http://nchc.dl.sourceforge.net/sourceforge/scponly/scponly-4.8.tgz #tar zxvf scponly-4.8.tgz #cd scponly-4.8 #./configure –prefix=/usr/local/scponly –enable-chrooted-binary –enable-winscp-compat –enable-sftp-logging-compat –enable-scp-compat –enable-rsync-compat –enable-passwd-compat #make #make install #echo /usr/local/scponly/sbin/scponlyc >> /etc/shells #make jail
/usr/bin/install -c -d /usr/local/scponly/bin /usr/bin/install -c -d /usr/local/scponly/man/man8 /usr/bin/install -c -d /usr/local/scponly/etc/scponly /usr/bin/install -c -o 0 -g 0 scponly /usr/local/scponly/bin/scponly /usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/scponly/man/man8/scponly.8 /usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/scponly/etc/scponly/debuglevel if test “xscponlyc” != “x”; then \ /usr/bin/install -c -d /usr/local/scponly/sbin; \ rm -f /usr/local/scponly/sbin/scponlyc; \ cp scponly scponlyc; \ /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/scponly/sbin/scponlyc; \ fi chmod u+x ./setup_chroot.sh ./setup_chroot.sh Next we need to set the home directory for this scponly user. please note that the user’s home directory MUST NOT be writeable by the scponly user. this is important so that the scponly user cannot subvert the .ssh configuration parameters. for this reason, a writeable subdirectory will be created that the scponly user can write into. Username to install [scponly] larry home directory you wish to set for this user [/home/larry] name of the writeable subdirectory [incoming] incoming ldconfig: /usr/lib/libmcrypt.so.4 is not a symbolic link creating /home/larry/incoming directory for uploading files Your platform (Linux) does not have a platform specific setup script. This install script will attempt a best guess. If you perform customizations, please consider sending me your changes. Look to the templates in build_extras/arch. – joe at sublimation dot org please set the password for larry: Changing password for user larry. New UNIX password: BAD PASSWORD: it is too simplistic/systematic Retype new UNIX password: Sorry, passwords do not match New UNIX password: BAD PASSWORD: it is too simplistic/systematic Retype new UNIX password: passwd: all authentication tokens updated successfully. if you experience a warning with winscp regarding groups, please install the provided hacked out fake groups program into your chroot, like so: cp groups /home/larry/bin/groups
#ll /home/larry/ drwxr-xr-x 2 root root 4096 11月 10 11:23 bin drwxr-xr-x 2 root root 4096 11月 10 11:23 etc drwxr-xr-x 2 larry larry 4096 11月 10 11:26 incoming drwxr-xr-x 3 root root 4096 11月 10 11:23 lib drwxr-xr-x 5 root root 4096 11月 10 11:23 usr
larry用户登录后只能在incoming目录里传东西
创建新用户需在编辑目录里执行setup_chroot.sh #./setup_chroot.sh
#mkdir /home/larry/dev #cp -a /dev/null /home/larry/dev/
64位系统# mkdir /home/larry/lib64 # cp /lib64/ld-linux-x86-64.so.2 /home/larry/lib64/
参考:http://bbs.chinaunix.net/viewthread.php?tid=785820 http://hi.baidu.com/fengzhenjie/blog/item/2a4b1e7fe072ba0e29388a66.html
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.