lnmp多用户安全运行环境(chroot)(3)
6、修改开机启动脚本,在/etc/rc.d/init.d/mysqld第46行、47行指定路径,直接用sed修改
sed -i '46 s#basedir=#basedir=/usr/local/mysql#' /etc/rc.d/init.d/mysqld
sed -i '47 s#datadir=#datadir=/usr/local/mysql/data#' /etc/rc.d/init.d/mysqld
7、修改MySQL启动脚本mysqld_safe,以支援TCMalloc,编辑文件/usr/local/mysql/bin/mysqld_safe,在# executing mysqld_safe的下一行,增加:#export LD_PRELOAD=/usr/local/lib/libtcmalloc.so 这里直接用sed修改了
sed -i '/# executing mysqld_safe/a\export LD_PRELOAD=/usr/local/lib/libtcmalloc.so' /usr/local/mysql/bin/mysqld_safe
8、收尾工作
echo 'PATH=$PATH:$HOME/bin:/usr/local/bin:/usr/local/mysql/bin' >> ~/.bashrc
source ~/.bash_profile
echo "/usr/local/mysql/lib" > /etc/ld.so.conf.d/mysql.conf
ldconfig
if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ] ; then
cd /usr/local/mysql
ln -s lib lib64
chown -R root.mysql lib64
fi
修改mysql root密码,这里使用生成的16位随机数,并将密码保存到/root/.my.cnf,这样管理员通过终端可直接跳过输入密码管理mysql服务(生产环境请不要这样做)。
service mysqld start
mysqlroot_passwd=`cat /dev/urandom | head -1 | md5sum | head -c 16`
echo $mysqlroot_passwd
/usr/local/mysql/bin/mysql -uroot -p
mysql<<EOF
use mysql;
update \`mysql\`.\`user\` set \`password\`=PASSWORD('$mysqlroot_passwd') where \`User\`='root';
flush privileges;
EOF
cat > /root/.my.cnf<<EOF
[client]
user=root
password=$mysqlroot_passwd
EOF
service mysqld stop
chmod 750 /usr/local/mysql /usr/local/mysql/data
chmod 640 /etc/my.cnf
chmod 600 /root/.my.cnf
三、安装Jailkit,Jailkit可以限制普通用户执行SSH时的家目录,旧版本会有一些问题,但最近这两年相当稳定,因此我在很多服务器都将其作为chroot必备的组件。后面php-fpm进行chroot设置时,也可以直接套用在这个基础上,因此这里先安装Jailkit。
1、安装最新版Jailkit,当前版本为2.16
cd /usr/local/src
wget -c http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz
tar -zxf jailkit-2.16.tar.gz
cd jailkit-2.16
./configure
#sed -i '41 s#IBS =#IBS = -pthread#' src/Makefile
make && make install
设置开机启动
/usr/bin/install -m 755 extra/jailkit /etc/init.d/jailkit
chkconfig jailkit on
service jailkit start
2、创建chroot工作目录并设置权限,这里设置为/home/chroot
mkdir /home/chroot
chown root:root /home/chroot
chmod 751 /home/chroot
jk_init -v -j /home/chroot sftp scp jk_lsh extshellplusnet
jk_cp -v /home/chroot /usr/bin/id
jk_cp -v /home/chroot /usr/bin/unzip
jk_cp -v /home/chroot /usr/bin/zip
jk_cp -v /home/chroot /usr/bin/curl
jk_cp -v /home/chroot /etc/pki
jk_cp -v /home/chroot /usr/lib/libssh2.so.1
jk_cp -v /home/chroot /usr/lib/libcurl.so
jk_cp -v /home/chroot /usr/lib/libsoftokn3.so
jk_cp -v /home/chroot /usr/lib/libnssdbm3.so
jk_cp -v /home/chroot /usr/lib/libnss3.so
jk_cp -v /home/chroot /usr/lib/libnssckbi.so
jk_cp -v /home/chroot /usr/lib/libnsspem.so
jk_cp -v /home/chroot /usr/lib/libsmime3.so
jk_cp -v /home/chroot /usr/lib/libssl3.so
jk_cp -v /home/chroot /usr/lib64/libssh2.so.1
jk_cp -v /home/chroot /usr/lib64/libcurl.so
jk_cp -v /home/chroot /usr/lib64/libsoftokn3.so
jk_cp -v /home/chroot /usr/lib64/libnssdbm3.so
jk_cp -v /home/chroot /usr/lib64/libnss3.so
jk_cp -v /home/chroot /usr/lib64/libnssckbi.so
jk_cp -v /home/chroot /usr/lib64/libnsspem.so
jk_cp -v /home/chroot /usr/lib64/libsmime3.so
jk_cp -v /home/chroot /usr/lib64/libssl3.so
jk_cp -v /home/chroot /usr/bin/certutil
jk_cp -v /home/chroot /usr/bin/cmsutil
jk_cp -v /home/chroot /usr/bin/crlutil
jk_cp -v /home/chroot /usr/bin/modutil
jk_cp -v /home/chroot /usr/bin/pk12util
jk_cp -v /home/chroot /usr/bin/signtool
jk_cp -v /home/chroot /usr/bin/signver
jk_cp -v /home/chroot /usr/bin/ssltap
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/atob
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/btoa
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/derdump
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/ocspclnt
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/pp
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/selfserv
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/strsclnt
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/symkeyutil
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/tstclnt
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/vfychain
jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/vfyserv
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/atob
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/btoa
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/derdump
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/ocspclnt
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/pp
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/selfserv
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/strsclnt
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/symkeyutil
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/tstclnt
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/vfychain
jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/vfyserv
mkdir -p {/home/chroot/opt,/home/chroot/tmp,/home/chroot/var/www}
chmod -R 755 /home/chroot/opt /home/chroot/var/www
chmod 1777 /home/chroot/tmp
echo "nobody:x:99:" >> /home/chroot/etc/group
echo "www:x:999:" >> /home/chroot/etc/group
echo "www:x:999:999::/home/www:/bin/nologin" >> /home/chroot/etc/passwd
chmod 644 /home/chroot/etc/group
chmod 644 /home/chroot/etc/passwd
3、修改监听chroot下的日志输出,方便debug
service rsyslog stop
rsyslogd -a /home/chroot/dev/log
service rsyslog restart
- 上一篇:Linux下时钟同步ntpd服务配置方法汇总
- 下一篇:查看CentOS版本方法
