衆所周知,chroot下linux系統的一個安全機制,chroot是linux核心的一個系統調用,通過它,可以設定應用軟體的運作環境,讓應用軟體運作在一個特定目錄下,這樣,即使應用軟體有安全漏洞,被入侵,入侵者也被限制在一個特定的目錄,從面限制了入侵者的破壞範圍。加強了系統的安全性。本文以tomcat為例,詳細記錄了tomcat以chroot的方式運作的配置過程,也記錄配置過程中的出錯及排錯方法。
環境及工具:系統64位的CentOS6.4、dk為jdk-7u45-linux-x64.tar.gz、apache-tomcat-6.0.41.tar.gz
一、配置java chroot環境
1、先配置jdk,這次配置使用的是 jdk-7u45-linux-x64.tar.gz
tar zxvf jdk-7u45-linux-x64.tar.gz
mkdir /usr/java
cp -a jdk1.7.0_45 /usr/java/
[root@2core local]# /usr/java/jdk1.7.0_45/bin/java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)
jdk可以正常啟動
2、配置jdk chroot
我選算了 /chroot為 tomcat的根目錄
#D=/chroot
#mkdir -p $D
#cd $D
mkdir -p lib lib64 etc tmp dev usr
chmod 755 etc dev usr
chmod 1777 tmp
cp -a /etc/hosts etc/hosts
為了chroot的環境更接近實際的系統根目錄,還需要一個特殊的目錄,如果無這些目錄,将來可能會報錯
mkdir -p /chroot/dev/pts
cd /dev
./MAKEDEV -d /chroot/dev null radom urandom zero loop* log console
cp MAKEDEV /chroot/dev
cp -a /dev/shm /chroot/dev
[root@2core local]# ldd /usr/java/jdk1.7.0_45/bin/java
linux-vdso.so.1 => (0x00007fffeafd0000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3a58efd000)
libjli.so => /usr/java/jdk1.7.0_45/bin/../lib/amd64/jli/libjli.so (0x00007f3a58ce5000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f3a58ae1000)
libc.so.6 => /lib64/libc.so.6 (0x00007f3a5874e000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3a59123000)
把上面幾個庫檔案複制到/chroot/lib64/目錄下
[root@2core local]# ls /chroot/lib64/
ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpthread.so.0
[root@2core local]# rm -rf /chroot/usr/java/
[root@2core local]# mkdir /chroot/usr/java
[root@2core local]# cp -a /usr/java/jdk1.7.0_45 /chroot/usr/java/
[root@2core local]# ls /chroot/usr/java/
jdk1.7.0_45
以chroot方式運作java,
[root@2core local]# chroot /chroot /usr/java/jdk1.7.0_45/bin/java
/usr/java/jdk1.7.0_45/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
有報錯,根據錯誤可以是缺少相應的庫檔案,隻要把這些檔案複制過來就OK了
[root@2core local]# find / -name libjli.so
/usr/java/jdk1.7.0_45/jre/lib/amd64/jli/libjli.so
/usr/java/jdk1.7.0_45/lib/amd64/jli/libjli.so
/usr/local/jdk1.7.0_45/jre/lib/amd64/jli/libjli.so
/usr/local/jdk1.7.0_45/lib/amd64/jli/libjli.so
/chroot/usr/java/jdk1.7.0_45/jre/lib/amd64/jli/libjli.so
/chroot/usr/java/jdk1.7.0_45/lib/amd64/jli/libjli.so
[root@2core local]# cp /chroot/usr/java/jdk1.7.0_45/lib/amd64/jli/libjli.so /chroot/lib64/
[root@2core local]# chroot /chroot /usr/java/jdk1.7.0_45/bin/java -version
Error: dl failure on line 863
Error: failed /usr/java/jdk1.7.0_45/jre/lib/amd64/server/libjvm.so, because libm.so.6: cannot open shared object file: No such file or directory
[root@2core local]#
[root@2core local]# find / -name libm.so.6
/lib64/libm.so.6
[root@2core local]# cp /lib64/libm.so.6 /chroot/lib64/
Java HotSpot(TM) 64-Bit Server VM warning: Can't detect initial thread stack location - find_vma failed
這樣,可以正常啟動java了,但還是有一個警告資訊,這是因為jave檢測不到相關程序引起的,而linux系統的程序資訊是存放在/proc這個目錄的,因些,我們還要在/chroot下挂載這個特殊的目錄,方法如下
[root@2core local]# mkdir /chroot/proc
[root@2core local]# mount -t proc proc /chroot/proc
至此,jdk才算完成配置,這時,讓我們檢視一下啟動JDK需要用到下面幾個庫,需要注意的是,庫檔案的位置及名字有可能在不同的版本系統中有差别,但一般都可以根據相關的報錯資訊,找到相應庫檔案,并複制過來就OK了
ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libjli.so libm.so.6 libpthread.so.0
二、以下開始配置tomcat了,把tomcat将在/chroot/usr/local這個目錄下運作
[root@2core local]# mkdir /chroot/usr/local
[root@2core local]# mv apache-tomcat-6.0.41-src /chroot/usr/local/tomcat
[root@2core local]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start
chroot: failed to run command `/usr/local/tomcat/bin/catalina.sh': Permission denied
[root@2core local]# ls /chroot/usr/local/tomcat/bin/catalina.sh -al
-rw-r--r--. 1 root root 17717 5月 19 18:51 /chroot/usr/local/tomcat/bin/catalina.sh
[root@2core local]# chmod 755 /chroot/usr/local
[root@2core local]# chmod 755 /chroot/usr/local/tomcat/bin/*.sh
chroot: failed to run command `/usr/local/tomcat/bin/catalina.sh': No such file or directory
再次[root@2core local]# strace chroot /chroot /usr/local/tomcat/bin/catalina.sh start
留意末部資訊
execve("/usr/local/tomcat/bin/catalina.sh", ["/usr/local/tomcat/bin/catalina.s"..., "start"], [/* 25 vars */]) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh_CN.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh_CN.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh_CN/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "chroot: ", 8chroot: ) = 8
write(2, "failed to run command `/usr/loca"..., 57failed to run command `/usr/local/tomcat/bin/catalina.sh') = 57
open("/usr/share/locale/zh_CN.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh_CN.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh_CN/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/zh/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": No such file or directory", 27: No such file or directory) = 27
write(2, "\n", 1
) = 1
close(1) = 0
close(2) = 0
exit_group(127) = ?
因為啟動tomcat的是一個shell的腳本,是以,在chroot裡還需要一個運作bash shell的環境
[root@2core local]# cd /chroot/
[root@2core chroot]# mkdir -p bin
[root@2core chroot]# cp /bin/bash bin/
[root@2core chroot]# ln -s /bin/bash bin/sh
[root@2core chroot]# cd lib64
[root@2core lib64]# pwd
/chroot/lib64
[root@2core lib64]# ldd /bin/bash
linux-vdso.so.1 => (0x00007fff2536e000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f0c47bb5000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f0c479b1000)
libc.so.6 => /lib64/libc.so.6 (0x00007f0c4761d000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0c47ddf000)
[root@2core lib64]# cp /lib64/libtinfo.so.5 /chroot/lib64/
[root@2core lib64]# cp /lib64/libdl.so.2 /chroot/lib64/
cp:是否覆寫"/chroot/lib64/libdl.so.2"? n
[root@2core lib64]# cp /lib64/libc.so.6 /chroot/lib64/
cp:是否覆寫"/chroot/lib64/libc.so.6"? n
[root@2core lib64]# cp /lib64/ld-linux-x86-64.so.2 /chroot/lib64/
cp:是否覆寫"/chroot/lib64/ld-linux-x86-64.so.2"? n
測試 bash是否可以在chroot下正常運作,由于這前已經複制部分的庫,是以會提示是否覆寫
[root@2core lib64]# chroot /chroot /bin/bash
bash-4.1# pwd
/
注意,這時的bash shell提示符已經改變了,這說明已經可以在chroot下正常啟動bash了
bash-4.1# ls
bash: ls: command not found
bash-4.1# exit
exit
[root@2core lib64]#
再次啟動tomcat,報錯的内容已經不一樣了,報錯的内容很詳細,就是有幾個指令找不到,那麼,我們把這些指令及相應的庫複制到chroot的相應目錄即可
[root@2core lib64]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start
/usr/local/tomcat/bin/catalina.sh: line 89: uname: command not found
/usr/local/tomcat/bin/catalina.sh: line 109: dirname: command not found
Cannot find //bin/setclasspath.sh
This file is needed to run this program
[root@2core lib64]# cp /bin/uname /chroot/bin/
[root@2core lib64]# mkdir - /chroot/usr/bin
[root@2core lib64]# cp /usr/bin/dirname /chroot/usr/bin/
[root@2core lib64]# ldd /bin/uname
linux-vdso.so.1 => (0x00007fff4b5ff000)
libc.so.6 => /lib64/libc.so.6 (0x00007fcfde5b8000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcfde954000)
[root@2core lib64]# ldd /usr/bin/dirname
linux-vdso.so.1 => (0x00007fffb93ea000)
libc.so.6 => /lib64/libc.so.6 (0x00007f8ad0266000)
/lib64/ld-linux-x86-64.so.2 (0x00007f8ad0602000)
[root@2core lib64]# ls /chroot/lib64
- ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libjli.so libm.so.6 libpthread.so.0 libtinfo.so.5
相關的庫之前已經複制了,是以,這裡就不需要再複制,再次運作comcat
Neither the JAVA_HOME nor the JRE_HOME environment variable is defined
At least one of these environment variable is needed to run this program
這次報錯的是環境變量的問題,把變量加進去限可,我們先看看catalina.sh這個檔案,裡面調用了setclasspath.sh 而報錯的内容便在setclasspath.sh腳本裡。是以,我在setclasspath.sh設定JAVA_HOME變量
[root@2core bin]# vi /chroot/usr/local/tomcat/bin/setclasspath.sh
# Make sure prerequisite environment variables are set
export JAVA_HOME=/usr/java/jdk1.7.0_45
export JRE_HOME=/usr/java/jdk1.7.0_45/jre
if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then
if $darwin; then
# Bugzilla 54390
if [ -x '/usr/libexec/java_home' ] ; then
export JAVA_HOME=`/usr/libexec/java_home`
# Bugzilla 37284 (reviewed).
elif [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home" ]; then
export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home"
fi
else
JAVA_PATH=`which java 2>/dev/null`
if [ "x$JAVA_PATH" != "x" ]; then
JAVA_PATH=`dirname $JAVA_PATH 2>/dev/null`
JRE_HOME=`dirname $JAVA_PATH 2>/dev/null`
if [ "x$JRE_HOME" = "x" ]; then
# XXX: Should we try other locations?
if [ -x /usr/bin/java ]; then
JRE_HOME=/usr
fi
fi
if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then
echo "Neither the JAVA_HOME nor the JRE_HOME environment variable is defined"
echo "At least one of these environment variable is needed to run this program"
exit 1
fi
"setclasspath.sh" 119L, 4252C written
再次運作,還是出錯,但已經接近成功了,
[root@2core bin]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start
/usr/local/tomcat/bin/catalina.sh: line 193: tty: command not found
Using CATALINA_BASE: /usr/local/tomcat
Using CATALINA_HOME: /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME: /usr/java/jdk1.7.0_45/jre
Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar
/usr/local/tomcat/bin/catalina.sh: line 354: touch: command not found
/usr/local/tomcat/bin/catalina.sh: line 371: /usr/local/tomcat/logs/catalina.out: No such file or directory
報錯還是由相關系統指令調用及檔案權限的引用的,打它複制過來
[root@2core bin]# cp /bin/touch /chroot/bin/
[root@2core bin]# ldd /bin/touch
linux-vdso.so.1 => (0x00007fff9343f000)
librt.so.1 => /lib64/librt.so.1 (0x00007fbd55ccc000)
libc.so.6 => /lib64/libc.so.6 (0x00007fbd55939000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fbd5571b000)
/lib64/ld-linux-x86-64.so.2 (0x00007fbd55edd000)
[root@2core bin]# cp /lib64/librt.so.1 /chroot/lib64/
[root@2core bin]# mkdir /chroot/usr/local/tomcat/logs
[root@2core bin]# chmod 666 /chroot/usr/local/tomcat/logs
[root@2core bin]#
把tty這個程式複制過來
[root@2core bin]# cp /usr/bin/tty /chroot/usr/bin/
[root@2core bin]# ldd /usr/bin/tty
linux-vdso.so.1 => (0x00007fff1f5ff000)
libc.so.6 => /lib64/libc.so.6 (0x00007f82f2cd9000)
/lib64/ld-linux-x86-64.so.2 (0x00007f82f3075000)
終于無報錯了,大功造成了?怎麼回事,java 程序還是起不來
[root@2core bin]# ps auxf|grep java
root 1449 0.0 0.0 103240 852 pts/1 S+ 11:46 0:00 \_ grep java
檢視下了上tomcat的日志
[root@2core local]# more /chroot/usr/local/tomcat/logs/catalina.out
Error: Could not find or load main class org.apache.catalina.startup.Bootstrap
[root@2core local]# ls /chroot/usr/local/tomcat/bin/bootstrap.jar
ls: 無法通路/chroot/usr/local/tomcat/bin/bootstrap.jar: 沒有那個檔案或目錄
原來是這個包缺少一個檔案
重新從官方網站下載下傳了一個完整的包,解壓
#wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-6/v6.0.41/bin/apache-tomcat-6.0.41.tar.gz
[root@2core local]# cd /chroot/usr/local/
[root@2core local]# ls
tomcat
[root@2core local]# mv tomcat tomcat.bak
[root@2core local]# mv /usr/local/apache-tomcat-6.0.41 ./tomcat
并在/chroot/usr/local/tomcat/bin/setclasspath.sh加入環境變量
再次運作
[root@2core local]# ps auxf|grep java
root 8220 0.0 0.0 103240 852 pts/0 S+ 10:19 0:00 \_ grep java
root 8201 179 6.7 1443396 68980 pts/0 Sl 10:19 0:05 /usr/java/jdk1.7.0_45/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start
![歡迎使用CSDN-markdown編輯器Tomcat的安裝與配置[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)