This action will force synchronization from Gitee 极速下载/jail-shell, which will overwrite any changes that you have made since you forked the repository, and can not be recovered!!!
Synchronous operation will process in the background and will refresh the page when finishing processing. Please be patient.
Jail-shell is a Linux security tool mainly using chroot, namespaces technologies, limiting users to perform specific commands, and access specific directories.
Users can login through SSH, SCP, SFTP, Telnet, terminals, etc. and be restricted to a secure operating enviroment.
Jail-shell can be used for webhost ssh access control, enterprise Administrator's privilege hierarchy management.
Through the configuration file jail-shell automatically generates the chroot running environment. Through jail-shell management commands it's very easy to add, list, delete, restrict users, and easy to install, delete chroot running environment.
The Linux chroot technology is used to restrict the user's directory access, to avoid users accessing restricted directories and to prevent users from destroying the system.
The chroot running enviroment is readonly, this prevents users from deleting protected directories and files, creating device files, and accessing restricted files.
Use Linux namespace technology, limit the visible range of user PID, Mount directories, and avoid information leakage.
Provides a system command-and-proxy channel that allows users to execute a real system's restricted command in a chroot environment, protecting the system in the event that it provides the necessary functionality.
Only a list of commands is required to automatically copy the dynamic library that the command relies on to the chroot environment, avoiding the cumbersome work of copying the dynamic library manually.
Discard critical capabilities privileges to avoid the system, and the chroot running environment, being cracked by rootkit.
Supports Redhat, SLEs, Debian and their derivative operating systems.
Jail-shell contains 3 parts, Pam Plugins, jail-cmd command agents, Jail-shell command tools.
Mainly control the login of users. according to the configuration list, use chroot and namespace technology to restrict the login users to a specific restricted directory.
It forwards specific command to the real system, such as passwd
, or other user-related business commands, and it also prevents command injection.
Mainly provides the ability to manage the restricted security shell, making it easier for administrators to use, including user's add, delete, shell's configuration, installation, deletion, etc.
Instructions
Compile
git clone https://github.com/pymumu/jail-shell.git
cd jail-shell
make
Install
sudo make install
Uninstall
sudo /usr/local/jail-shell/install -u
After installation, you can use jail-shell
command to manage jails, jail-shell -h
for help.
In use, the steps are as follows:
useradd username
command to add user to the system.jail-shell jail
command to create a chroot enviroment.jail-shell user
command to add user to the jails.The following is an example of adding user test
to a jail named test-jail
.
test
,and set passwordsudo useradd test -s /bin/bash
sudo passwd test
sudo jail-shell jail -e test-jail
After executing the above command, a new jail configuration will be created from the template, and it is opened by vi
, you can edit it, after that, remember to save the configuration with vi command :w!
.
sudo jail-shell jail -i test-jail
test
to jail test-jail
sudo jail-shell user -a test -j test-jail
test
is jailed.ssh test@127.0.0.1
The jail config file is located at /etc/jail-shell/jail-config/
, and file suffix is .cfg
The configuration supports the following commands:
dir
dir PATH MODE OWNER
dir /bin/ 0755 root:root
file:
file SRC DEST MODE OWNER
file /etc/nsswitch.conf /etc/nsswitch.conf 0644 root:root
hlink:
file SRC DEST MODE OWNER
file /etc/nsswitch.conf /etc/nsswitch.conf 0644 root:root
slink:
slink TARGET LINKNAME
slink /bin/bash /bin/sh
clink:
clink TARGET LINKNAME
clink /etc/localtime /etc/localtime
node:
node PATH TYPE MAJON MINOR MODE OWNER
node /dev/null c 1 3 666 root:root
bind:
bind [SRC] DEST OPTION
bind / ro,nodev,nosuid
bind /opt/ /opt/ ro,nodev,noexec
bind /opt/upload /opt/upload rw,nodev,noexec,nosuid
bind /opt/%u /opt/upload ro,nodev,noexec,nosuid
cmd:
cmd SRC DEST RUN_AS_USER
cmd /usr/bin/passwd /usr/bin/passwd -:-
cmd /some/root/command /some/root/command root:root
cmd /some/user/command /some/user/command user:user
When using jail-shell, the minimum security authorization principle should be adopted. In the premise of ensuring the use of functions, reduce user rights.
bind
tips/dev
directory, it is recommended to add nodev
parameters, /dev directory must set to ro, noexec
(read-only, disable executable) permissions.ro, nodev, nosuid
(read only, prohibit device files, and prohibit suid files) permissions.nodev, noexec, nosuid
(disable device files, disable executable files, disable suid files) permissions.gdb, mount, strace
, etc..directory | description |
---|---|
/etc/jail-shell/ |
Configure file Directory |
/etc/jail-shell/jail-shell. conf |
Restricted User Configuration list file |
/etc/jail-shell/jail-config/ |
The directory where the jail shell configuration file is located, and the suffix. cfg file is recognized as a jail configuration file. |
/var/local/jail-shell/ |
Jail-shell Data Directory |
/var/local/jail-shell/jails |
Jail-shell chroot Environment Directory |
/usr/local/jail-shell |
Jail-shell program Directory |
When you copy a command to the chroot environment, if the copy command fails, you need to debug to find the missing dependent files, and add them to the chroot environment.
Copy the strace
command into the chroot environment, and then use strace
to execute the commands that need to be debugged to find the missing dependent files.
The following debugging commands are as follows
strace -F -eopen command
-eopen represents a list of files that the trace process opens.
After executing the above command, troubleshoot to find the open file list.
open ("/etc/ld.so.preload", "O_RDONLY") = -1 ENOENT (No, such, file, or, directory)
As indicated above, the /etc/ld-so.preload
file does not exist when reading, and may need to add the above files to the chroot environment. At this point, you can use the clink
, file
command to add missing files to the chroot environment.
Jail-shell using GPL-V2 License.
jailkit https://olivier.sessink.nl/jailkit/
rshell https://en.wikipedia.org/wiki/Restricted_shell
firejail https://github.com/netblue30/firejail
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。