由于工作需求，需要在Linux上建立SSH、MySQL两个用户。

使这两个账户连接到跳板机后仅能执行有限的命令(SSH用户只能执行SSH命令，MySQL用户只能执行MySQL命令）。

MySQL账户Chroot效果:

SSH账户Chroot效果:

步骤

编辑system-auth-ac文件并添加:

vi /etc/pam.d/system-auth-ac session required  pam_chroot.so debug session required  pam_mkhomedir.so skel=/etc/skel/ umask=0022

编辑chroot配置文件并添加:

vi /etc/security/chroot.conf mysql   /home/chroot-mysqlssh     /home/chroot-ssh

编辑sshd文件并添加:

vi /etc/pam.d/sshd session   required  pam_chroot.so

修改脚本以适应自己环境，修改后保存为chroot.sh 并sh chroot.sh 执行该脚本。

#!/bin/bash## Author: Pravin Rane## This script creates chroot env. Change CHROOT variable as per your requirement# Tested on RHEL5, CentOS5, Fedora5CHROOT="/home/chroot"echo "chroot is $CHROOT"echo "Creating directory sturcture"mkdir $CHROOTcd $CHROOTmkdir homemkdir etcmkdir etc/securitymkdir binmkdir libmkdir usrmkdir usr/binmkdir usr/sharemkdir usr/share/localemkdir varmkdir var/logmkdir procmkdir devmkdir dev/ptsmkdir -p usr/lib/locale/mknod dev/null c 1 3mknod dev/zero c 1 5mknod dev/random c 1 8mknod -m 0444 dev/urandom c 1 9mknod dev/tty c 5 0chown root.tty dev/ttychmod 666 dev/ttymknod dev/ptmx c 5 2# Copy basic filesecho "Copying config files"cp -pr /etc/skel /etc/environment /etc/passwd /etc/group /etc/localtime $CHROOT/etc/cp -p /etc/security/console.handlers /etc/security/pam_env.conf $CHROOT/etc/security/cp -p /var/log/lastlog $CHROOT/var/log/cp -pr /usr/share/locale/en /usr/share/locale/en_US /usr/share/locale/locale.alias $CHROOT/usr/share/localecp -pr /usr/share/locale/zh_CN /usr/share/locale/zh /usr/share/locale/zh_CN.GB2312 $CHROOT/usr/share/localecp -pr /usr/share/i18n $CHROOT/usr/sharecp -pr /usr/lib/locale/locale-archive $CHROOT/usr/lib/locale#COMMANDS="/bin/bash /usr/bin/mysql /usr/bin/ssh" #可根据实际需求增删命令COMMANDS="/bin/bash /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /usr/bin/id /usr/bin/ssh /bin/ping /usr/bin/mysql" for prog in $COMMANDS;  docp $prog ./$prog# obtain a list of related librariesldd $prog > /dev/nullif [ "$?" = 0 ] ; thenLIBS=`ldd $prog | awk '{ print $3 }'|grep -v 0x`for l in $LIBS; domkdir -p ./`dirname $l` > /dev/null 2>&1cp -p $l ./$ldonefidone# For ssh You don't exist, go awaycp -pr /lib64/libnss_* $CHROOT/lib64/if [ $? -eq 0 ]; thenecho ".."echo "Chroot is successfully created at $CHROOT"echo "1. Mount proc and devpts now using following commands"echo "mount proc $CHROOT/proc -t proc"echo "mount devpts $CHROOT/dev/pts -t devpts -o gid=5,mode=620"echo ""echo "2. Do the changes in syslogd as mentioned in script and restart it."echo "Your syslogd's extra socket should be at $CHROOT/dev/log"echo ""echo "As a root run command \"chroot $CHROOT\" to test your setup"fi

若使用chroot /home/$CHROOT 命令提示不存在XX目录则需拷贝相关库文件。

搜索缺失的库:

for i in `ldd /bin/bash`;do echo $i;done |grep -v = |grep -v 0x |grep /|xargs ls -l

将缺失的库文件拷贝到chroot对应lib文件夹里

示例

保存为1.sh 用sh 1.sh命令运行

cp -av /lib64/ld-linux-x86-64.so.2 /home/chroot-mysql/lib64cp -av /lib64/ld-2.12.so /home/chroot-mysql/lib64cp -av /lib64/libc.so.6 /home/chroot-mysql/lib64cp -av /lib64/libc-2.12.so /home/chroot-mysql/lib64cp -av /lib64/libdl.so.2 /home/chroot-mysql/lib64cp -av /lib64/libdl-2.12.so /home/chroot-mysql/lib64cp -av /lib64/libtinfo.so.5 /home/chroot-mysql/lib64cp -av /lib64/libtinfo.so.5.7 /home/chroot-mysql/lib64

保存为1.sh 用sh 2.sh命令运行

cp -av /lib64/ld-linux-x86-64.so.2 /home/chroot-ssh/lib64cp -av /lib64/ld-2.12.so /home/chroot-ssh/lib64cp -av /lib64/libc.so.6 /home/chroot-ssh/lib64cp -av /lib64/libc-2.12.so /home/chroot-ssh/lib64cp -av /lib64/libdl.so.2 /home/chroot-ssh/lib64cp -av /lib64/libdl-2.12.so /home/chroot-ssh/lib64cp -av /lib64/libtinfo.so.5 /home/chroot-ssh/lib64cp -av /lib64/libtinfo.so.5.7 /home/chroot-ssh/lib64

执行完脚本需挂载

mount proc /home/chroot/proc -t procmount devpts /home/chroot/dev/pts -t devpts -o gid=5,mode=620""

在新的chroot目录下的home下创建空的用户名目录 （没有此目录会报错）

cd /home/chroot-mysql/homemkdir mysqlcd /home/chroot-ssh/homemkdir ssh

添加中文支持

mkdir -p usr/lib/locale/cp -pr /usr/lib/locale/locale-archive $CHROOT/usr/lib/locale

将chroot-ssh下的.bash_profile文件内添加

LANG=zh_CN.UTF-8