jailkit 是一款能够在一个chroot jail中快速创建受限用户帐户的工具集。它包含了一个安全日志守护进程,shells可以限制用户,开启和设置chroot jail守护进程的工具。
简单说明
1、由Nginx处理http请求,nginx运行属主身份为www:www,执行php代理到后端php-fpm,php-fpm负责管理各用户间的php进程,用户运行php的组权限为nobody
2、默认为每个用户提供了SSH,方便用户直接进行管理。限定各SSH用户只能访问家目录的文件,访问系统级命令和访问其他非属主身份的路径显示为无权限。
3、关于用户目录权限的说明,建立的用户属主身份为user:nobody,家目录自身权限:drwxr-x–x,其创建的目录权限设置为drwx—r-x,文件权限设定为-rw—-r–。(user为当前用户)
4、通过设定系统umask及ftp服务umask,确保用户家目录下创建的文件权限为-rw—-r–,目录权限为drwx—r-x
前提:已经安装好了LNMP
下载安装jailkit
[codesyntax lang=”text”]
cd /soft wget -c http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz tar zxvf jailkit-2.11.tar.gz cd jailkit-2.11 ./configure make && make install cp extra/jailkit /etc/init.d/ chmod 755 /etc/init.d/jailkit chkconfig jailkit on
[/codesyntax]
-
初始化chroot环境,创建个chroot目录:
mkdir -p /home/chroot chown root:root /home/chroot chmod 751 /home/chroot jk_init -v -j /home/chroot sftp scp jk_lsh netutils extendedshell jk_cp -v /home/chroot /usr/bin/id jk_cp -v /home/chroot /usr/bin/unzip jk_cp -v /home/chroot /usr/bin/zip
创建系统用户
useradd www -m echo www:123456|chpasswd jk_jailuser -m -n -j /home/chroot/ --shell=/bin/bash www
检查
[root@localhost chroot]# grep www /home/chroot/etc/passwd www:x:503:503::/home/www:/bin/bash [root@localhost chroot]# grep www /etc/passwd www:x:503:503::/home/chroot/./home/www:/usr/sbin/jk_chrootsh
创建php-fpm配置文件
a.创建全局php-fpm配置文件
[root@localhost etc]# cat /application/php-5.3.29/etc/php-fpm.conf include=etc/fpm.d/*.conf [global] pid = /tmp/php-fpm.pid error_log = log/php-fpm.log log_level = waring emergency_restart_threshold = 10 process_control_timeout = 5s process.max = 500 daemonize = yes rlimit_files = 51200 rlimit_core = 0 events.mechanism = epoll
b.创建php-fpm pool
mkdir -p /application/php-5.3.29/etc/fpm.d
cat /application/php-5.3.29/etc/fpm.d/default.conf [www] listen = 127.0.0.1:9001 ;listen = /usr/local/php5.4/var/run/php-fpm-www.sock listen.allowed_clients = 127.0.0.1 listen.mode = 0666 listen.owner = www listen.group = nobody user = www group = nobody chroot = /home/chroot ; Choose how the process manager will control the number of child processes. pm = dynamic pm.max_children = 5 pm.start_servers = 1 pm.min_spare_servers = 1 pm.max_spare_servers = 5 pm.max_requests = 1000 request_terminate_timeout = 30s ; Pass environment variables env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/bin env[TMP] = /var/www/tmp env[TMPDIR] = /var/www/tmp env[TEMP] = /var/www/tmp ; Specific php ini settings here php_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f [email protected]" php_admin_value[open_basedir] = ".:/var/www:/proc:/tmp" php_value[include_path] = ".:/var/www:/var/www/include" php_value[axis2.log_path] = "/var/www/tmp" php_value[session_pgsql.sem_file_name] = "/var/www/tmp/php_session_pgsql" php_value[soap.wsdl_cache_dir] = "/var/www/tmp" php_value[uploadprogress.file.filename_template] = "/var/www/tmp/upt_%s.txt" php_value[xdebug.output_dir] = "/var/www/tmp" php_value[xdebug.profiler_output_dir] = "/var/www/tmp" php_value[xdebug.trace_output_dir] = "/var/www/tmp" php_admin_value[disable_functions] = "exec,system,passthru,shell_exec,ini_alter,dl,proc_open,proc_exec,proc_close,chroot,scandir,chgrp,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini_file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit" ; UPLOAD php_admin_flag[file_uploads] = On php_admin_value[upload_tmp_dir] = "/var/www/tmp" ;Maximum allowed size for uploaded files. php_admin_value[upload_max_filesize] = "50M" php_admin_value[max_input_time] = "120" php_admin_value[post_max_size] = "50M" ; LOGS php_admin_value[error_log] = "/var/www/logs/error.log" php_admin_value[log_errors] = On php_admin_value[display_errors] = Off php_admin_value[html_errors] = Off php_admin_value[display_startup_errors] = Off php_admin_value[define_syslog_variables] = "1" php_value[error_reporting] = "6143" ; Maximum execution time of each script, in seconds (30) php_value[max_input_time] = "120" ; Maximum amount of time each script may spend parsing request data php_value[max_execution_time] = "300" ; Maximum amount of memory a script may consume (8MB) php_value[memory_limit] = "128M" ; Sessions: IMPORTANT reactivate garbage collector on Debian!!! php_value[session.gc_maxlifetime] = "3600" php_admin_value[session.gc_probability] = "1" php_admin_value[session.gc_divisor] = "100" ; SECURITY php_admin_value[session.auto_start] = Off php_admin_value[mbstring.http_input] = pass php_admin_value[mbstring.http_output] = pass php_admin_value[mbstring.encoding_translation] = Off php_admin_value[expose_php] = Off php_admin_value[allow_url_fopen] = On php_admin_value[variables_order] = PGCSE ; enforce filling PATH_INFO & PATH_TRANSLATED ; and not only SCRIPT_FILENAME php_admin_value[cgi.fix_pathinfo] = "1" ; 1: will use PATH_TRANSLATED instead of SCRIPT_FILENAME php_admin_value[cgi.discard_path] = "0"
网站实际的根目录:
/home/chroot/home/www
php-fpm pool设置
[root@localhost 123]# grep ^chroot /application/php-5.3.29/etc/fpm.d/default.conf
chroot = /home/chroot
nginx.conf配置
location / {
root /home/chroot/home/www;
index index.html index.htm;
}
location ~ \.php$ {
root /home/chroot;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param? SCRIPT_FILENAME? /home/www$fastcgi_script_name;
include fastcgi_params;
}
[root@localhost conf]# grep ‘php_admin_value\[open_basedir\]’ /application/php-5.3.29/etc/fpm.d/default.conf
php_admin_value[open_basedir] = “.:/var/www:/proc:/tmp:/home/www”
这样,网站的安全性就相对提高了不少。
jailkit实战