Linux系统jailkit安装配置使用方法

jailkit实战

jailkit 是一款能够在一个chroot jail中快速创建受限用户帐户的工具集。它包含了一个安全日志守护进程，shells可以限制用户，开启和设置chroot jail守护进程的工具。

简单说明

1、由Nginx处理http请求，nginx运行属主身份为www:www，执行php代理到后端php-fpm，php-fpm负责管理各用户间的php进程，用户运行php的组权限为nobody
2、默认为每个用户提供了SSH，方便用户直接进行管理。限定各SSH用户只能访问家目录的文件，访问系统级命令和访问其他非属主身份的路径显示为无权限。
3、关于用户目录权限的说明，建立的用户属主身份为user:nobody，家目录自身权限:drwxr-x–x，其创建的目录权限设置为drwx—r-x，文件权限设定为-rw—-r–。(user为当前用户)
4、通过设定系统umask及ftp服务umask，确保用户家目录下创建的文件权限为-rw—-r–，目录权限为drwx—r-x

前提：已经安装好了LNMP

下载安装jailkit

Source code   
cd /soft
 
wget -c http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz
 
tar zxvf jailkit-2.11.tar.gz
 
cd jailkit-2.11
 
./configure
 
make && make install
 
cp extra/jailkit /etc/init.d/
 
chmod 755 /etc/init.d/jailkit
 
chkconfig jailkit on

初始化chroot环境，创建个chroot目录：

Source code   
mkdir -p /home/chroot
chown root:root /home/chroot
chmod 751 /home/chroot
 
jk_init -v -j /home/chroot sftp scp jk_lsh netutils extendedshell
 
jk_cp -v /home/chroot /usr/bin/id
jk_cp -v /home/chroot /usr/bin/unzip
jk_cp -v /home/chroot /usr/bin/zip
 

创建系统用户

Source code   
useradd www -m
 
echo www:123456|chpasswd
 
jk_jailuser -m -n -j /home/chroot/ --shell=/bin/bash www

检查   

[root@localhost chroot]# grep www /home/chroot/etc/passwd
 
www:x:503:503::/home/www:/bin/bash
 
[root@localhost chroot]# grep www /etc/passwd
 
www:x:503:503::/home/chroot/./home/www:/usr/sbin/jk_chrootsh
 

创建php-fpm配置文件

[root@localhost etc]# cat /application/php-5.3.29/etc/php-fpm.conf
 
include=etc/fpm.d/*.conf
 
[global]
 
pid = /tmp/php-fpm.pid
 
error_log = log/php-fpm.log
 
log_level = waring
 
emergency_restart_threshold = 10
 
process_control_timeout = 5s
 
process.max = 500
 
daemonize = yes
 
rlimit_files = 51200
 
rlimit_core = 0
 
events.mechanism = epoll
 

b.创建php-fpm pool

mkdir -p /application/php-5.3.29/etc/fpm.d
 
cat /application/php-5.3.29/etc/fpm.d/default.conf
 
[www]
 
listen = 127.0.0.1:9001
 
;listen = /usr/local/php5.4/var/run/php-fpm-www.sock
 
listen.allowed_clients = 127.0.0.1
 
listen.mode = 0666
 
listen.owner = www
 
listen.group = nobody
 
user = www
 
group = nobody
 
 
 
chroot = /home/chroot
 
; Choose how the process manager will control the number of child processes.
 
pm = dynamic
 
pm.max_children = 5
 
pm.start_servers = 1
 
pm.min_spare_servers = 1
 
pm.max_spare_servers = 5
 
pm.max_requests = 1000
 
request_terminate_timeout = 30s
 
 
; Pass environment variables
 
env[HOSTNAME] = $HOSTNAME
 
env[PATH] = /usr/local/bin:/bin
 
env[TMP] = /var/www/tmp
 
env[TMPDIR] = /var/www/tmp
 
env[TEMP] = /var/www/tmp
 
 
; Specific php ini settings here
 
php_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f noreply@evlit.com"
 
php_admin_value[open_basedir] = ".:/var/www:/proc:/tmp"
 
php_value[include_path] = ".:/var/www:/var/www/include"
 
php_value[axis2.log_path] = "/var/www/tmp"
 
php_value[session_pgsql.sem_file_name] = "/var/www/tmp/php_session_pgsql"
 
php_value[soap.wsdl_cache_dir] = "/var/www/tmp"
 
php_value[uploadprogress.file.filename_template] = "/var/www/tmp/upt_%s.txt"
 
php_value[xdebug.output_dir] = "/var/www/tmp"
 
php_value[xdebug.profiler_output_dir] = "/var/www/tmp"
 
php_value[xdebug.trace_output_dir] = "/var/www/tmp"
 
php_admin_value[disable_functions] = "exec,system,passthru,shell_exec,ini_alter,dl,proc_open,proc_exec,proc_close,chroot,scandir,chgrp,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini_file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit"
 
 
; UPLOAD
 
php_admin_flag[file_uploads] = On
 
php_admin_value[upload_tmp_dir] = "/var/www/tmp"
 
;Maximum allowed size for uploaded files.
 
php_admin_value[upload_max_filesize] = "50M"
 
php_admin_value[max_input_time] = "120"
 
php_admin_value[post_max_size] = "50M"
 
 
; LOGS
 
php_admin_value[error_log] = "/var/www/logs/error.log"
 
php_admin_value[log_errors] = On
 
php_admin_value[display_errors] = Off
 
php_admin_value[html_errors] = Off
 
php_admin_value[display_startup_errors] = Off
 
php_admin_value[define_syslog_variables] = "1"
 
php_value[error_reporting] = "6143"
 
 
; Maximum execution time of each script, in seconds (30)
 
php_value[max_input_time] = "120"
 
 
; Maximum amount of time each script may spend parsing request data
 
php_value[max_execution_time] = "300"
 
 
; Maximum amount of memory a script may consume (8MB)
 
php_value[memory_limit] = "128M"
 
 
 
; Sessions: IMPORTANT reactivate garbage collector on Debian!!!
 
php_value[session.gc_maxlifetime] = "3600"
 
php_admin_value[session.gc_probability] = "1"
 
php_admin_value[session.gc_divisor] = "100"
 
 
; SECURITY
 
php_admin_value[session.auto_start] = Off
 
php_admin_value[mbstring.http_input] = pass
 
php_admin_value[mbstring.http_output] = pass
 
php_admin_value[mbstring.encoding_translation] = Off
 
php_admin_value[expose_php] = Off
 
php_admin_value[allow_url_fopen] = On
 
php_admin_value[variables_order] = PGCSE
 
; enforce filling PATH_INFO & PATH_TRANSLATED
 
; and not only SCRIPT_FILENAME
 
php_admin_value[cgi.fix_pathinfo] = "1"
 
; 1: will use PATH_TRANSLATED instead of SCRIPT_FILENAME
 
php_admin_value[cgi.discard_path] = "0"
 

网站实际的根目录：

/home/chroot/home/www

php-fpm pool设置

[root@localhost 123]# grep ^chroot /application/php-5.3.29/etc/fpm.d/default.conf

chroot = /home/chroot

nginx.conf配置

location / {

root   /home/chroot/home/www;

index  index.html index.htm;

}

location ~ \.php$ {

root           /home/chroot;

fastcgi_pass   127.0.0.1:9001;

fastcgi_index  index.php;

   fastcgi_param  SCRIPT_FILENAME  /home/www$fastcgi_script_name;

include        fastcgi_params;

}

[root@localhost conf]# grep ‘php_admin_value\[open_basedir\]’ /application/php-5.3.29/etc/fpm.d/default.conf

php_admin_value[open_basedir] = “.:/var/www:/proc:/tmp:/home/www”

这样，网站的安全性就相对提高了不少