1 November 2003, DocBook Edit by pibonazi (at) hotmail.com : 3 November 2003
º» ¹®¼¿¡ ´ëÇÑ ÀúÀÛ±ÇÀº ¸í½ÃµÈ ÀÛ¼ºÀÚ¿¡°Ô ÀÖ½À´Ï´Ù. ¹®¼¿¡ ´ëÇÑ ¹èÆ÷´Â ¸ðµÎ Çã¿ëÇϸç, ³»¿ëÀÇ Á¤Á¤ÀÌ ÇÊ¿äÇÒ¶§´Â Çã¶ôÀ» ¸ÃÀ¸¼Å¾ß ÇÕ´Ï´Ù. ÀÓÀÇ·Î ¼öÁ¤ÇÏ¿© ¹®¼¸¦ ¹èÆ÷½Ã¿¡´Â ÀúÀ۱ǹý¿¡ µû¶ó ó¹ú ¹Þ½À´Ï´Ù. ¿ÀŸ³ª À߸øµÈ ºÎºÐÀº ¼öÁ¤À» ÇÏÁö ¾ÊÀ»°ÍÀ̸ç, Plat ¹®¼·Î ³²±â°í ½Í½À´Ï´Ù. Àß º¸½Ã°í, chroot ·Î ¾ÈÀüÇÑ ¼¹ö¸¦ ±¸ÃàÇϼ¼¿ä
ÈÀÌÆÃ~ :=).
Chroot ¶ó´Â°ÍÀº ¸»ÀÌ ÇÊ¿ä¾ø½À´Ï´Ù. Àú´Â °³ÀÎÀûÀ¸·Î Change Root ¶ó°í ºÎ¸¨´Ï´Ù. ÃÖ»óÀ§µð·ºÅ丮¸¦ Àӽà ±³Ã¼Çϴ°ÍÀÔ´Ï´Ù. Áï.. ¸ÇÆäÀÌÁö¿¡´Â¾Æ·¡Ã³·³ ³ª¿Í ÀÖ½À´Ï´Ù.
NAME
chroot - run command or interactive shell with special root directory
|
Áï, ¸®´ª½º ½Ã½ºÅÛÀÇ ÃÖ»óÀ§µð·ºÅ丮´Â / ÀÔ´Ï´Ù. ±×·¯³ª /chroot¶ó´Â µð·ºÅ丮¸¦ Çϳª »ý¼ºÇÑµÚ ±× µð·ºÅ丮¸¦ ÃÖ»óÀ§ µð·ºÅ丮·Î ÀüȯÇÒ¼ö°¡ ÀÖ½À´Ï´Ù. ±×°ÍÀÌ Chroot À̸ç, glibc ¶óÀ̺귯¸®·Î chroot ¶ó´Â C¾ð¾î ÇÔ¼ö¸¦ Á¦°øÇÕ´Ï´Ù. ÀÌ ÇÔ¼ö¸¦ ÀÌ¿ëÇؼ ¸¸µé¾îÁø°ÍÀÌ chroot ¹ÙÀ̳ʸ® ÀÔ´Ï´Ù.
---------------------------------------------------------------------------
[root@localhost root]# ls -al /usr/sbin/chroot
-rwxr-xr-x 1 root root 11232 2¿ù 19 2003 /usr/sbin/chroot
[root@localhost root]#
---------------------------------------------------------------------------
|
±×·¯³ª, ¾Æ¹«µð·ºÅ丮³ª ÁöÁ¤ÇÏ°í ±³Ã¼ÇÏ·Á°í ÇÑ´Ù¸é ºÐ¸í ½ÇÆÐÇÒ°ÍÀÔ´Ï´Ù. ±× µð·ºÅ丮¾È¿¡´Â ÇÊ¿äÇÑ°ÍÀÌ Àִµ¥, ±âº»ÀûÀ¸·Î ½©ÆÄÀÏ°ú ½©ÀÌ ±¸µ¿Çϱ⿡ ÇÊ¿äÇÑ ¶óÀ̺귯¸®°¡ ¸ðµÎ ÀÖ¾î¾ßÇÕ´Ï´Ù. ±×¸®°í ÇÊ¿äÇÑ ¼³Á¤ÆÄÀϵ鵵 ³Ö¾îÁÖ¸é ÁÁ½À´Ï´Ù. Áï..
/chroot/bin
/chroot/etc
/chroot/lib
/chroot/usr
/chroot/tmp
/chroot/var
/chroot/dev
|
ÀÌ·± ½ÄÀ¸·Î µð·ºÅ丮¿Í ÇÊ¿äÇÑ ÆÄÀϵéÀ» À籸¼ºÇϴ°ÍÀÔ´Ï´Ù. ½ÇÁ¦ ¸®´ª½º »óÀ§µð·ºÅ丮ó·³ ¸»ÀÌÁÒ. ÀÌÇØÇϼ̽À´Ï±î?
bin ¾È¿¡´Â ¿ì¸®°¡ »ç¿ëÇÒ ¹Ù¿î½º½©(bash) µµ ÇÊ¿äÇÏ°í, chroot ¾È¿¡¼ »ç¿ëÇÒ ¹ÙÀ̳ʸ® ÆÄÀϵ鵵 ÇÊ¿äÇÏ°ÚÁÒ? À̸¦Å׸é ls , cp , mv , rm ,mkdir ....
etc ¾È¿¡´Â ¹¹.. chroot ¾È¿¡¼¸¸ »ç¿ëÇÒ º¹Á¦ÆÇ passwd , shadow , group
hosts .... ¸î¸î°³¸¸ ÀÖÀ¸¸é µÇ°ÙÁÒ?
lib ¾È¿¡¾ß ¸»ÇҰ͵µ ¾ø½À´Ï´Ù. chroot ·Î ÁøÀÔÇѵڿ¡ ÀÛµ¿ÇÒ ¹ÙÀ̳ʸ® ÆÄÀϵéÀÌ ÇÊ¿ä·ÎÇÏ´Â ¶óÀ̺귯¸®ÆÄÀÏÀº ¸ðµÎ ¿©±â¿¡ º¹»çÇØÁÖ¸é µË´Ï´Ù.
usr ¾È¿¡´Â /usr/local/apache ³ª /usr/local/mysql ¸¦ ¿ø·¡ÀÇ ½Ã½ºÅÛ¿¡ ¼³Ä¡µÈ
°æ·Î·Î ÇÒ°ÍÀ̱⠶§¹®¿¡ ³Áß¿¡ ¾ÆÆÄÄ¡³ª µ¥ÀÌŸº£À̽º¼¹ö ±¸µ¿¿¡ ÇÊ¿äÇÑ ÆÄÀÏÀ»
±×´ë·Î ¿È°ÜÁÖ¸é µÇ°ÚÁÒ? µð·ºÅ丮 ÀÚü..;;
tmp ¿¡´Â ÇÊ¿ä¾÷ÁÒ ¹¹..
var µµ º°°Ç ¾ø°í run µð·ºÅ丮³ª logs µð·ºÅ丮¸¦ ¸¸µé¾îÁÖ¸é µË´Ï´Ù.
¸¶Áö¸·À¸·Î dev °°Àº°æ¿ì´Â ÁÖ·Î ¾²ÀÌ´Â /dev/null(°ø¹éÀåÄ¡)¸¸ mknod ·Î ¸¸µé¾î
ÁÖ¸é µÇ°Ú½À´Ï´Ù.
±×·¯¸é ÀÌ°ÍÀ¸·Î chroot¿¡ ´ëÇÑ ÀÌÇظ¦ ¸¶ÃƽÀ´Ï´Ù. ¸¶Áö¸·À¸·Î À§¿¡¼ ¼Ò°³ÇÑ
chroot ¶ó´Â ¾¾¾ð¾î ÇÔ¼ö¿¡ ´ëÇÑ ¸ÇÆäÀÌÁöÀÇ ¸Þ´º¾óÀ» ¾à°£¸¸ º¼±î¿ä?
# man 2 chroot
---------------------------------------------------------------------------
CHROOT(2) ¸®´ª½º ÇÁ·Î±×·¡¸Ó ¸Þ´º¾ó CHROOT(2)
À̸§
chroot - ·çÆ® µð·ºÅ丮¸¦ ¹Ù²Û´Ù.
»ç¿ë¹ý
#include < unistd.h >
int chroot(const char *path);
---------------------------------------------------------------------------
#include< unistd.h >
main(){
int ret;
ret = chroot("/chroot");
if(ret==0) printf("chroot ÀÛµ¿ ¼º°ø\n");
else printf("chroot ÀÛµ¿ ½ÇÆÐ\n");
}
|
°£´ÜÈ÷ ÀÌ·± ¼Ò½º·Î °¡´ÉÇÏ°ÚÁÒ?
¹¹ ¼º°øÇÏ¸é ¸®ÅÏ°ªÀÌ 0 ÀÌ°í, ¾Æ´Ï¸é -1 À» ¸®ÅÏÇÑ´Ù°í Çϳ׿ä.. ¾¾¾ð¾î¸¦ ¾Æ½Ã´Â
ºÐÀÌ¸é ´Ù ¾Æ½ÇÅ×ÁÒ..
´ÙÀ½À¸·Î ³Ñ¾î°¡µµ·Ï ÇÏ°Ú½À´Ï´Ù.
APM(Apache Php Mysql)ÀÇ ¹À½¸»ÀÌÁÒ?
A = °ø°³¿ë ¾ÆÆÄÄ¡ À¥¼¹ö ( 80 Æ÷Æ®¸¦ »ç¿ë )
P = °ø°³¿ë PHP À¥ÇÁ·Î±×·¡¹Ö ¾ð¾î ( À¸·Î ±¸¼ºµÊ )
M = °ø°³¿ë MYSQL µ¥ÀÌŸº£À̽º ¼¹ö ( 3306 Æ÷Æ®¸¦ »ç¿ë )
|
ÀÌ·¸°Ô ¾ÆÆÄÄ¡À¥¼¹ö¸¦ ±â¹ÝÀ¸·Î PHP¾ð¾î°¡ ÀÛµ¿ÇÕ´Ï´Ù. ¾ÆÆÄÄ¡À¥¼¹ö¿¡ PHPÀÇ ¸ðµâÀÌ Å¾Àç µÇ´Â°ÍÀÌÁÒ. ±×¸®°í MYSQLÀº PHP ¼³Á¤½Ã¿¡ µð·ºÅ丮°¡ ÁÖ¾îÁö´Âµ¥ PHP ¸ðµâÀÌ MYSQL ¼¹ö¿¡ Äõ¸®(ÁúÀǹ®)¸¦ º¸³»¼, µ¥ÀÌŸº£À̽ºÀÇ Á¤º¸¸¦ ÁÖ°Å´Ï ¹Þ°Å´Ï ÇÏ¸é¼ À¥¼¹ö¿¡ Á¢¼ÓÇÑ À¥¹æ¹®ÀÚ¿¡°Ô ¾Ë¸Â°Ô Á¶¸®Çؼ º¸¿©ÁÖ°Ô µË´Ï´Ù.
ÀÌ·±½ÄÀ¸·Î ±¸¼ºµÈ°ÍÀº À¥»ó¿¡ http://µµ¸ÞÀÎ/file.php ȤÀº php3 µîÀ̳ª.. °æ¿ì¿¡ µû¶ó¼´Â htm html ±îÁöµµ PHP ½ºÅ©¸³Æ®´Â ÇüÅ·ΠÆÄÀÏ¿¡ »ðÀÔµÇ¾î¼ ÀÛµ¿Çϱ⵵ ÇÕ´Ï´Ù.
ÀÌ°ÍÀÌ ¾îµð¿¡ ÀÛµ¿ÇÏ´ÂÁö ¸ð¸£½Å´Ù¸é, ¿¹¸¦µéÁÒ?
À¥°Ô½ÃÆÇ, ȸ¿ø¼ºñ½º, ÀÚ·á½Ç, ¼îÇθô, ¸ÞÀϸµ¸®½ºÆ®, ¹æ¸í·Ï ... µîµîÀÇ À¥¾ÖÇø®ÄÉÀ̼ǵéÀÔ´Ï´Ù. ³×ƼÁðÀ̶ó¸é ÀÚÁÖ Á¢Çϴ°͵éÀÌÁÒ.
ÀÌÁ¦ APM ¿¡ ´ëÇÑ ÀÌÇظ¦ ÇϼÌÀ¸¸®¶ó ¹Ï½À´Ï´Ù. ¼³Ä¡¿¡ ´ëÇؼ´Â ¿©·¯°¡Áö ¼ö¾øÀÌ ¸¹Àº ¸Þ´º¾óÀÌ ÀÖÁö¸¸.. ÀÌ ¹®¼¿¡¼´Â ÁÖÁ¦¿¡ ÃÐÁ¡À» ¸ÂÃß±âÀ§Çؼ ¼¹ö¼³Ä¡°úÁ¤Àº ´ãÁö ¾Ê½À´Ï´Ù. ¼³Ä¡´Â °ü·Ã Ã¥ÀÚ³ª ´ÙÀ½¸µÅ©¿¡¼ Àо½Ã°í µû¶óÇϽñ⠹ٶø´Ï´Ù.
http://linux.co.kr/theme/pageview.html?ca=200101=28=apm=³ª¸¸ÀÇ%20À¥¼¹ö%20²Ù¹Ì±â ÀÌÁ¦ /usr/local/apache µð·ºÅ丮¿¡´Â ¾ÆÆÄÄ¡ À¥¼¹ö¸¦ ¼³Ä¡ÇÏ°í, /usr/local/mysql¿¡´Â ¸¶ÀÌ¿¡½ºÅ¥¿¤ µ¥ÀÌŸº£À̽º¸¦ ¼³Ä¡ÇÑ µð·ºÅ丮¶ó´Â °¡Á¤ÇÏ¿¡¼ ¹®¼¸¦ °è¼Ó
ÁøÇàÇÏ°Ú½À´Ï´Ù.
¿ì¸®ÀÇ À¯ÀüÀÚº¹Á¦±â¼úÀ» ½Ã¿¬Çغ¸¿´´ø 'º¹Á¦¾ç µ¹¸®' °¡ »ý°¢À̳ª¼ ŸÀÌƲÀ» Á¤Çߴµ¥ ±¦ÂúÀº°¡¿ä? BreakBreak(¾ÆÁÖ³ÇØÇѴܾî:¿Ü°è¾î-´ÚºÏ¿¡µðÅÍÁÖ:¿Ü°è¾î°¡ À§Å°À§Å°¿¡ ÀÔ·ÂÀÌ ¾ÈµË´Ï´Ù. -_-;) ..;;
ÀÌ Àå¿¡¼´Â ¹«¾ùÀ» ¾Ë¾Æº¸·Á°í µÇÁöµµ¾Ê´Â À¯¸Ó¸¦ ±¸»çÇϴ°¡? ÇϽÇÅÙµ¥¿ä.. °£´ÜÇÕ´Ï´Ù. ¾Æ±îÀü¿¡ chroot¿¡ ´ëÇؼ ¼³¸íµå·È´Ù½ÃÇÇ, µð·ºÅ丮³ª ÇÊ¿äÇÑ ÆÄÀϵéÀ» À籸¼ºÇϴ°ÍÀÔ´Ï´Ù. ¹¹ ±×°Í¿¡ ´ëÇؼ ¾î¶²¾î¶² °ÍµéÀ» À籸¼ºÇØÁÖ¾î¾ß ÇÏ´ÂÁö¿¡ ´ëÇؼ ´Ù·ïº¼°ÍÀÔ´Ï´Ù.
ÇÊÀÚ°¡ ¹®¼¾²´Â°Ô »õº®ÀÎÁö¶ó.. ´Ù½Ã ÇÏ·Á¸é ¹®¼¾²´Â ½Ã°£ÀÌ ²Ï³ª ±æ¾îÁú°Í °°¾Æ¼, ¹Ì¸® ±¸¼ºÇسõÀº ¼¹ö¿¡ Á¢¼ÓÇؼ ĸÃÄÇؼ ºÎºÐºÎºÐ ¼³¸íÇÏ°Ú½À´Ï´Ù.
¾çÇعٷ¡¿ä ..
---------------------------------------------------------------------------
[root@koreasecurity /]# ls -al / | grep chroot
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 chroot
[root@koreasecurity /]#
---------------------------------------------------------------------------
|
755 ·Î ±âº» ±ÇÇÑÀ¸·Î µÇ¾î ÀÖÁÒ? ·çÆ®¼ÒÀ¯ÀÚ·Î..
mkdir /chroot ·Î ¸¸µç°ÍÀÔ´Ï´Ù. ÀÌ µð·ºÅ丮¸¦ chroot ·Î »óÀ§µð·ºÅ丮·Î ÀüȯÇÒ°ÅÁÒ.. ÀÌÇصǽÃÁÒ?
±×·³ /chroot µð·ºÅ丮¾È¿¡ µé¾î°¡¼ ÇϳªÇϳª µÇ¤¾îº¼²²¿ä.
---------------------------------------------------------------------------
[root@koreasecurity /]# cd /chroot
[root@koreasecurity chroot]# ls
bin dev etc home lib lost+found root sbin tmp usr var
[root@koreasecurity chroot]# pwd
/chroot
[root@koreasecurity chroot]#
---------------------------------------------------------------------------
|
»óÀ§µð·ºÅ丮 ó·³ À籸¼ºµÇ¾î ÀÖÁÒ?
bin ºÎÅÍ »ìÆ캸ÁÒ.
---------------------------------------------------------------------------
[root@koreasecurity chroot]# cd bin
[root@koreasecurity bin]# ls
arch cut gawk ls rm touch
ash date gettext mkdir rmdir true
ash.static dd grep mknod rpm umount
awk df gtar mktemp rvi uname
basename dnsdomainname gunzip more rview unicode_start
bash doexec gzip mount sed unicode_stop
bash2 domainname hostname mt setfont unlink
bsh dumpkeys igawk mv setserial usleep
cat echo ipcalc netstat sh vi
chgrp ed kbd_mode nice sleep view
chmod egrep kill nisdomainname sort ypdomainname
chown env link pgawk stty zcat
cp ex ln ps sync
cpio false loadkeys pwd tar
csh fgrep login red tcsh
[root@koreasecurity bin]# pwd
/chroot/bin
[root@koreasecurity bin]#
---------------------------------------------------------------------------
|
º¸½Ã´Â ¹Ù¿Í °°ÀÌ /bin À» ¿È°Ü³õÀº°ÍÀÔ´Ï´Ù. ¿ø·¡´Â À¥¿¡¼ Á¢±ÙÇÏ´Â ¹æ¹®ÀÚµéÀº ÀÌ·± ¸í·É¾îµéÀ» º°·Î ¾µÀÏÀÌ ¾ø±â ¶§¹®¿¡, ¸î¸î°³¸¸ ³²°ÜµÎ°í Áö¿ì¼Åµµ µÇÁö¸¸, ¹ü¿ë¼ºÀ» À§Çؼ ±×³É µÎ¾ú½À´Ï´Ù. ÀÌ°÷¿¡ ÀÖ´Â ¹ÙÀ̳ʸ®ÆÄÀϵéÀº.. chroot ·Î º¯È¯µÇ¾î /chroot °¡ -> / °¡ µÉ¶§ ±×¼Ó¿¡¼ »ç¿ëµÉ ¹ÙÀ̳ʸ® ¸í·É¾î ÆÄÀϵéÀÌÁÒ.
´ÙÀ½Àº etc ¸¦ º¼±î¿ä?
---------------------------------------------------------------------------
[root@koreasecurity bin]# cd ..
[root@koreasecurity chroot]# cd etc
[root@koreasecurity etc]# pwd
/chroot/etc
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
¿©±â¿¡ ÀÖ´Â ÆÄÀϵéÀº /etc ¾È¿¡ Àִ°ÍÀ» ¸î°³ cp ¸í·ÉÀ¸·Î º¹»çÇÑ°ÍÀÔ´Ï´Ù. ÇϳªÇϳª ±â´ÉÀ» ¼³¸íÇغ¸°Ú½À´Ï´Ù.
group : ¸®´ª½º ½Ã½ºÅÛÀÇ À¯ÀúµéÀ» ¸ð¾Æ³õÀº ±×·ì¸ñ·ÏÀÌ ÀÖ´Â ÆÄÀÏ
hosts : ½Ã½ºÅÛ¿¡¼ ¾Ë°í Àִ ȣ½ºÆ®µéÀÇ ¾ÆÀÌÇÇÁÖ¼Ò/µµ¸ÞÀÎ/È£½ºÆ®¸íÀÇ ¸ñ·Ï ÆÄÀÏ
localtime : ·ÎÄÃÀÇ ½Ã°£À» °¡Áö´Â ÆÄÀÏÀΰ¡ º¾´Ï´Ù. (À߸𸣰ڱº¿ä blabla)
my.cnf : MYSQL ÀÇ ¼³Á¤ÆÄÀÏ(ÀÌ°ÍÀº /etc ¾È¿¡ ÀÖ´ø°ÍÀÌ ¾Æ´Õ´Ï´Ù. ¸¸µé¾îÁØ°Í)
nsswitch.conf : ³×ÀÓ¼¹ö½ºÀ§Ä¡ °ü·ÃµÈ ¼³Á¤ÆÄÀÏÀ̱º¿ä. (º°ÇÊ¿ä¾øÀ»µí)
passwd : ¸®´ª½ºÀÇ °èÁ¤Á¤º¸°¡ ÀÖ´Â ¸ñ·Ï ÆÄÀÏ
resolv.conf : ¸®´ª½º¹Ú½º°¡ »ç¿ëÇÒ ³×ÀÓ¼¹öµéÀÌ ÀûÇôÀÖ´Â ÆÄÀÏ
shadow : passwd ÆÄÀÏ¿¡ ±âÀçµÈ °èÁ¤µéÀÇ ¾ÏÈ£ÈµÈ Çؽúñ¹Ð¹øÈ£°¡ ÀÖ´Â ¸ñ·Ï ÆÄÀÏ
|
´ë·« ÀÌ·¸½À´Ï´Ù. ÀÌ ÆÄÀϵéÁß shadow ¸¸ Æ۹̼ÇÀ» 700 À¸·Î ÁÖ°í ³ª¸ÓÁö´Â ¸ðµÎ Àбâ±ÇÇÑÀ» ¿ÀÇÂµÈ »óÅ·ΠµÎ½Ã¸éµË´Ï´Ù. ¾Æ·¡ ó·³..
---------------------------------------------------------------------------
[root@koreasecurity etc]# ls -al *
-rw-r--r-- 1 root root 53 10¿ù 28 20:20 group
-rw-r--r-- 1 root root 147 10¿ù 28 16:46 hosts
-rw-r--r-- 1 root root 152 10¿ù 28 16:46 localtime
-rw-r--r-- 1 root root 218 10¿ù 29 00:13 my.cnf
-rw-r--r-- 1 root root 1750 10¿ù 28 16:46 nsswitch.conf
-rw-r--r-- 1 root root 130 10¿ù 28 20:19 passwd
-rw-r--r-- 1 root root 88 10¿ù 28 16:46 resolv.conf
-rw------- 1 root root 47 10¿ù 28 20:59 shadow
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
À§ ÆÄÀϵéÀ» º¹»çÇØ ¿À±âÀü¿¡ ¿ì¸®´Â ¸ÕÀú ÇؾßÇÒ ¸î°¡ÁöÀÏÀÌ ÀÖ½À´Ï´Ù.
www(À¥¼ºñ½º) °èÁ¤ ¸¸µé±â:
°èÁ¤À» ¸¸µå´Â ¸í·É¾î´Â ¾Æ·¡¿Í °°½À´Ï´Ù.
useradd -c "Apache Server" -u 80 -s /bin/bash -d /chroot/usr/local/apache/htdocs
|
ÀÌ·¸°Ô Çϸé uid 80 ¹øÈ£¸¦ °¡Áø /bin/bash(½ÇÁ¦·Î ¾²¿©Áú°ÍÀº /chroot/bin/bash)¸¦ °¡Áø °èÁ¤ÀÌ »ý¼ºµÇÁÒ. ½ÇÁ¦ ÀÎÁõü°è¿¡¼´Â chroot¾È¿¡ °èÁ¤Á¤º¸°¡ ÂüÁ¶µÇÁö´Â ¾ÊÁö¸¸ ÀÌ·¸°Ô º¹»çÇØÁÙ Çʿ伺ÀÌ Àֱ⿡ ¸¸µé¾îÁִ°̴ϴÙ.
±×¸®°í /chroot/etc ¾ÈÀ¸·Î º¹»ç¸¦ Çѵڿ¡.. ÇÊ¿äÇÑ °èÁ¤(root, www, mysql) ¸¸ ³²°Ü³õ°í passwd, shadow, group ÆÄÀÏÀÇ ¸ñ·Ï¿¡¼ Áö¿öÁÖ¾î¾ß ÇÕ´Ï´Ù. Áö¿ì´Â°ÍÀº vi ÆíÁý±â¸¦ ¿¾î¼ dd¸¦ µÎ¹ø´©¸£¸é ÇÑÁÙ¾¿ Áö¿öÁý´Ï´Ù.
±×·¯¸é Çѹø È®ÀÎÇغ¼±î¿ä?
---------------------------------------------------------------------------
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]# cat passwd
root:x:0:0:root:/root:/bin/bash
www:x:80:80:Apache Server:/usr/local/apache:/bin/bash
mysql:x:500:500::/usr/local/mysql:/bin/bash
[root@koreasecurity etc]# cat shadow
www:!!:12353::::::
mysql:!!:12353:0:99999:7:::
[root@koreasecurity etc]# cat group
root:x:0:root
wheel:x:10:root
www:x:80:
mysql:x:500:
[root@koreasecurity etc]# cat my.cnf
[mysqld]
user=root
datadir=/usr/local/mysql/data
socket=/tmp/mysql.sock
skip-innodb
[client]
user=root
socket=/tmp/mysql.sock
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/usr/local/mysql/data/mysqld.pid
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
¾î¶²°¡¿ä? shadow ÆÄÀϾȿ¡´Â rootÀÇ ¾ÏÈ£ÈµÈ ºñ¹Ð¹øÈ£°¡ µå·¯³ª±â ¶§¹®¿¡ Á¦°ÅÇØÁá½À´Ï´Ù. ±×·¯³ª ½ÇÁ¦ÀÇ /etc/shadow °¡ ¾Æ´Ï±â ¶§¹®¿¡ °ÆÁ¤ÇϽǰÍÀº ¾ø½À´Ï´Ù. ÀÌ°ÍÀ¸·Î ÆíÁýÀº ³¡³µ±º¿ä.
º¸¾ÈÀ» ¿øÇÑ´Ù¸é, ÀÌ ÆÄÀϵéÀÇ º¯Á¶¸¦ ¸·±âÀ§Çؼ ¸ðµç ÀÛ¾÷À» ¸¶Ä£µÚ¿¡ chattrÀ̶ó°í ÇÏ´Â ¸í·É¾î·Î½á ÆÄÀϵéÀ» Àá±ÅµÎ¸éµË´Ï´Ù. ¸ðµç ÆÄÀÏ ÀÛ¾÷À» Çѵڿ¡.. ±×·¸°Ô µÇ¸é ¾Æ·¡Ã³·³ chattr -i ¿É¼ÇÀ¸·Î Ç®Áö ¾Ê´ÂÇÑÀº ·çÆ®°èÁ¤À¸·Îµµ Áö¿ö
ÁöÁö ¾Ê½À´Ï´Ù. chattr Àº root °èÁ¤¸¸ »ç¿ëÇÒ¼ö ÀÖÁö¸¸.. ½ÇÁ¦ chroot ¾È¿¡´Â Àú ÆÄÀÏÀ» º¹»çÇØÁÖÁö ¾ÊÀ»°ÍÀ̹ǷÎ, ÇØÄ¿°¡ À¥À»ÅëÇØ Á¢±ÙÇؿ͵µ Áö¿ï¼ö ¾øÀ»
°ÍÀÔ´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]# chattr +i *
[root@koreasecurity etc]# rm -rf *
rm: cannot chdir from `.' to `group': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `hosts': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `localtime': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `my.cnf': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `nsswitch.conf': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `passwd': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `resolv.conf': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `shadow': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
¾î¶²°¡¿ä? Çϳªµµ Áö¿öÁöÁö°¡ ¾ÊÁÒ?
ÀÌ°ÍÀ¸·Î
etc µµ ¸¶Ä¡°í, ´ÙÀ½À» »ìÆ캼±î¿ä..
---------------------------------------------------------------------------
[root@koreasecurity etc]# cd ..
[root@koreasecurity chroot]# cd dev
[root@koreasecurity dev]# ls -al
ÇÕ°è 12
drwxr-xr-x 2 root root 4096 10¿ù 28 21:45 .
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 ..
crw-rw-rw- 1 root root 1, 3 10¿ù 28 16:45 null
-rw-r--r-- 1 root root 16 10¿ù 30 05:10 tty
[root@koreasecurity dev]# pwd
/chroot/dev
[root@koreasecurity dev]#
---------------------------------------------------------------------------
|
dev ÀÔ´Ï´Ù. Device(ÀåÄ¡)µéÀÌ µé¾î°¡´Â°÷Àä. ±âº»ÀûÀ¸·Î ÇϳªÀÇ ÀåÄ¡¸¸ ¸¸µé¾îÁÖ¸é µË´Ï´Ù. ±×ÀåÄ¡´Â °ø¹éÀåÄ¡(null)ÀÔ´Ï´Ù. ÀÌ°ÍÀº /dev/null ¿¡ ÀÖ°í ±×³É º¹»ç¸¦ ÇØÁÖ´Â°Ô ¾Æ´Ï¶ó ÀåÄ¡À̱⠶§¹®¿¡ mknod ¶ó´Â°ÍÀ¸·Î »ý¼ºÇØÁÖ¾î¾ß ÇÕ´Ï´Ù.
»ç¿ë¹ýÀº °£´ÜÇÕ´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity dev]# ls -al /dev/null
crw-rw-rw- 1 root root 1, 3 8¿ù 31 2002 /dev/null
[root@koreasecurity dev]#
---------------------------------------------------------------------------
|
º¸½Ã¸é ¾Æ½Ã°ÚÁö¸¸, Àú±â °¡¿îµ¥ (1, 3) À̶ó°í µÇ¾î ÀÖ½À´Ï´Ù.
ÀÌ ¼ýÀÚ¸¦ º¸°í ±×´ë·Î »ç¿ëÇØÁÖ¸é µË´Ï´Ù. (blabla)
---------------------------------------------------------------------------
[root@koreasecurity dev]# rm -rf null
[root@koreasecurity dev]# ls
tty
[root@koreasecurity dev]# mknod null 1 3
mknod: ÀμöÀÇ °³¼ö°¡ À߸øµÇ¾ú½À´Ï´Ù
´õ ¸¹Àº Á¤º¸¸¦ ¾òÀ¸·¯¸é `mknod --help'¸í·ÉÀ» ÇϽʽÿÀ.
[root@koreasecurity dev]# mknod null c 1 3
[root@koreasecurity dev]# ls
null tty
[root@koreasecurity dev]# ls -al
ÇÕ°è 12
drwxr-xr-x 2 root root 4096 11¿ù 1 02:37 .
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 ..
crw-r--r-- 1 root root 1, 3 11¿ù 1 02:37 null
-rw-r--r-- 1 root root 16 10¿ù 30 05:10 tty
[root@koreasecurity dev]#
---------------------------------------------------------------------------
|
Àμö°¡ 3°³À̱º¿ä. ¾Õ¿¡ c ºñÆ®°¡ ºÙ¾î ÀÖÁÒ? ±×°Íµµ º¸°í Àû¾îÁØ°ÅÁÒ
ÀÌ·¸°Ô Çؼ ³Î ÀåÄ¡µµ »ý¼ºµÇ¾ú½À´Ï´Ù. tty ¶ó´Â ÀåÄ¡´Â ÀϺη¯ »ý¼ºÇØÁÖÁö ¾Ê¾Æµµ, chroot ·Î ·Î±×ÀÎÇÏ¸é »ý¼ºµÇ°Ô µÇ¾î ÀÖ½À´Ï´Ù.
´ÙÀ½À¸·Î..
---------------------------------------------------------------------------
[root@koreasecurity dev]# cd ..
[root@koreasecurity chroot]# cd home
[root@koreasecurity home]# ls
[root@koreasecurity home]# ls -al
ÇÕ°è 8
drwxr-xr-x 2 root root 4096 10¿ù 28 16:35 .
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 ..
[root@koreasecurity home]#
---------------------------------------------------------------------------
|
Ȩµð·ºÅ丮´Â ½ÇÁ¦ °èÁ¤¼ºñ½º¸¦ ÀÌ chroot ¾È¿¡¼ ÇÏÁö ¾ÊÀ»°ÍÀ̱⠶§¹®¿¡ ±¸Áö ÇÊ¿ä°¡ ¾ø°Ú³×¿ä(ÀÌ µð·ºÅ丮´Â Áö¿ì¼Åµµ ¹«°ü..)
´ÙÀ½Àº ¸¹Àº ¶óÀ̺귯¸® ÆÄÀϵéÀÌ ¸ðÀÎ µð·ºÅ丮±º¿ä..
---------------------------------------------------------------------------
[root@koreasecurity home]# cd ..
[root@koreasecurity chroot]# rmdir home
[root@koreasecurity chroot]# cd lib
[root@koreasecurity lib]# ls
ld-linux.so.2 libnss1_files-2.2.93.so libnss_ldap.so.2
libacl.so.1 libnss1_files.so.1 libnss_nis-2.2.93.so
libattr.so.1 libnss1_nis-2.2.93.so libnss_nis.so.1
libc.so.6 libnss1_nis.so.1 libnss_nis.so.2
libcrypt.so.1 libnss_compat-2.2.93.so libnss_nisplus-2.2.93.so
libdl.so.2 libnss_compat.so.1 libnss_nisplus.so.2
libexpat.so.0 libnss_compat.so.2 libpam.so.0
libexpat.so.0.3.0 libnss_dns-2.2.93.so libpam_misc.so.0
libgcc_s.so.1 libnss_dns.so.1 libproc.so.2.0.7
libm.so.6 libnss_dns.so.2 libpthread.so.0
libncurses.so.5 libnss_files-2.2.93.so libresolv.so.2
libnsl.so.1 libnss_files.so.1 librt.so.1
libnss1_compat-2.2.93.so libnss_files.so.2 libstdc++.so.5
libnss1_compat.so.1 libnss_hesiod-2.2.93.so libtermcap.so.2
libnss1_dns-2.2.93.so libnss_hesiod.so.2 libz.so.1
libnss1_dns.so.1 libnss_ldap-2.2.90.so
[root@koreasecurity lib]#
---------------------------------------------------------------------------
|
¸³(¶óÀ̺귯¸®) µð·ºÅ丮´Â chroot ¾È¿¡¼ ÀÛµ¿ÇÏ´Â ¸ðµç ¹ÙÀ̳ʸ®ÆÄÀϵéÀÌ ÀÛµ¿Çϱâ À§Çؼ ÀÇÁ¸ÇÏ´Â ¶óÀ̺귯¸®¸¦ º¹»çÇصаÍÀÔ´Ï´Ù. ÀÌ ¶óÀ̺귯¸® ÆÄÀϵéÀ» ¹«¾ùÀÌ ÇÊ¿äÇÑÁö ¾Ë¼ö Àִ°¡ Çϴ°ÍÀº ´ÙÀ½Àå¿¡¼ ´Ù·ê°ÍÀÔ´Ï´Ù. (from.Áý³ª°£ ¶óÀ̺귯¸®Æí¿¡¼..ÇìÇì)
lost+found µð·ºÅ丮´Â ½ÇÁ¦ ÇÊ¿ä°¡ ¾øÁö¸¸ ¸¸µé¾îÁØ°ÍÀÔ´Ï´Ù.(blabla)
root µð·ºÅ丮´Â /root ¸¦ ¸ð¹æÇÑ°ÍÀ¸·Î, ¾ø¾îµµ ¹«°üÇÏÁö¸¸ chroot ¶ó´Â°ÍÀ» ÇØÄ¿¿¡°Ô ½±°Ô µå·¯³ªÁö ¾Ê°Ô ÇÏ·Á´Â ±¸¼ºÀÔ´Ï´Ù. ÇÊ¿äÇÏ´Ù¸é ¸¸µå¼¼¿ä.
sbin µð·ºÅ丮µµ /bin°ú ¸¶Âù°¡Áö·Î ÇÊ¿äÇÑ ÅøµéÀ» º¹»çÇߴµ¥¿ä. ±ÍÂúÀ¸½Ã¸é cp -R /sbin /chroot ÇϽøéµË´Ï´Ù. Åë°·Î º¹»ç¸¦..
´ÙÀ½À¸·Î tmp µð·ºÅ丮´Â ÀÓ½ÃÆÄÀϵéÀ» ÀÛ¾÷ÇÏ´Â µð·ºÅ丮Àε¥, ÀÌ°ÍÀº ±×³É ¸¸µé¾î ÁÖ½Ã¸é µË´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity chroot]# ls -al | grep tmp
drwxrwxrwt 2 root root 4096 11¿ù 1 01:47 tmp
[root@koreasecurity chroot]# cd tmp
[root@koreasecurity tmp]# ls
mysql.sock
[root@koreasecurity tmp]#
---------------------------------------------------------------------------
|
µð·ºÅ丮¸¦ mkdir tmp ·Î ¸¸µçµÚ¿¡ chmod 1777 tmp ·Î½á ±ÇÇÑÀ» ÁÝ´Ï´Ù. ¿©±â¼ 1 Àº ³¡¿¡ ºÙÀº t(temp) ºñÆ®À̸ç, 777Àº rwxrwxrwx ÀÔ´Ï´Ù. rwxrwxrwx ·Î ±ÇÇÑÀ» ÁÖÁö ¾ÊÀ¸¸é, mysql ÀÇ Àӽà ¼ÒÄÏÆÄÀÏÀÎ mysql.sock ÆÄÀÏÀÌ Á¦´ë·Î »ý¼ºµÇÁö ¾Ê¾Æ À¥¼¹ö¸¦ ±¸µ¿½Ã ¿À·ù¸¦ ³»¹Ç·Î, ±ÇÇÑÀ» Á¦´ë·Î ÁֽʽÿÀ.
¾Æ..µð·ºÅ丮°¡ Âü ¸¹±º¿ä. (¼³¸íÇϱâ Èûµå³×¿ä..~_~)
usr µð·ºÅ丮´Â usr/local ¾È¿¡ apache ¶û mysql µîÀ̶û.. ÀÌ¿¡ ÇÊ¿äÇÑ ¶óÀ̺귯¸® ȤÀº include(Çìµå)ÆÄÀϵé°ú usr/bin ÆÄÀϵéÀÌ ¿È°ÜÁú µð·ºÅ丮¿¡¿ä.
»ìÆ캼±î¿ä ? ÁýÁßÇϼ¼¿ä ..
---------------------------------------------------------------------------
[root@koreasecurity tmp]# cd ..
[root@koreasecurity chroot]# cd usr
[root@koreasecurity usr]# ls
bin include lib local sbin share
[root@koreasecurity usr]#
---------------------------------------------------------------------------
|
bin : usr/bin À» ±×´ë·Î º¹»çÇØÁØ°ÍÀÔ´Ï´Ù.
include :
---------------------------------------------------------------------------
[root@koreasecurity usr]# pwd
/chroot/usr
[root@koreasecurity usr]# cd include
[root@koreasecurity include]# ls
mysql
[root@koreasecurity include]# cd mysql
[root@koreasecurity mysql]# ls
chardefs.h m_ctype.h my_net.h mysql_com.h sslopt-case.h
dbug.h m_string.h my_no_pthread.h mysql_version.h sslopt-longopts.h
errmsg.h my_config.h my_pthread.h mysqld_error.h sslopt-usage.h
history.h my_global.h my_sys.h raid.h sslopt-vars.h
keymaps.h my_list.h mysql.h readline.h tilde.h
[root@koreasecurity mysql]#
---------------------------------------------------------------------------
|
ÀÌ include/mysql ¿¡´Â mysql ¼³Ä¡½Ã¿¡ ¸¸µé¾îÁø ÇìµåÆÄÀϵéÀ» ¿È°Ü³õÀº°ÍÀε¥.. ¿øº»Àº /usr/include/mysql ÀÌÁÒ.. ±×´ë·Î ¿È°Ü¿À½Ã¸é µË´Ï´Ù. ¿©±â ÀÖ´Â °ÍÀº ³Áß¿¡ mysql °ü·ÃÇؼ »ç¿ëÇÏ°Ô µÇ´Â ¾¾¾ð¾î ¼Ò½º¸¦ ÀÛ¼º½Ã¿¡ »ç¿ëÇÏ°Ô µÇ°ÚÁÒ
lib :
---------------------------------------------------------------------------
[root@koreasecurity usr]# cd lib
[root@koreasecurity lib]# ls
mysql
[root@koreasecurity lib]# cd mysql
[root@koreasecurity mysql]# ls
libdbug.a libmyisammrg.a libmysqlclient.so.10 libnisam.a
libheap.a libmysqlclient.a libmysqlclient.so.10.0.0
libmerge.a libmysqlclient.la libmystrings.a
libmyisam.a libmysqlclient.so libmysys.a
[root@koreasecurity mysql]#
---------------------------------------------------------------------------
|
mysql ¼³Ä¡½Ã¿¡ Æ÷ÇÔµÈ ÆÄÀϵéÀ» ¿È°Ü³õÀº°ÍÀε¥, mysql ÀÛµ¿¿¡ ÇÊ¿äÇÑ ¶óÀ̺귯¸® ÆÄÀϵéÀÔ´Ï´Ù. ¼³Ä¡½Ã¿¡ /usr/lib/mysql ¿¡ ÀÖ´ø°ÍÀε¥, ±×´ë·Î ¿È°ÜÁÖ½Ã¸é µË´Ï´Ù.
sbin : ÀÌ µð·ºÅ丮 ¿ª½Ã /usr/sbin À» ±×´ë·Î ¿È°ÜÁÖ½Ã¸é µË´Ï´Ù.
¸¶Áö¸·À¸·Î share ¸¦ »ìÆ캼±î¿ä..
---------------------------------------------------------------------------
[root@koreasecurity mysql]# cd ..
[root@koreasecurity include]# cd ..
[root@koreasecurity usr]# cd share
[root@koreasecurity share]# ls
man man1 man2 man3 man4 man5 man6 man7 man8 man9 mann mysql pt_BR
[root@koreasecurity share]# cd mysql
[root@koreasecurity mysql]# ls
binary-configure greek my-large.cnf portuguese
charsets hungarian my-medium.cnf romanian
czech italian my-small.cnf russian
danish japanese mysql-3.23.58.spec slovak
dutch korean mysql-log-rotate spanish
english make_binary_distribution mysql.server swedish
estonian mi_test_all norwegian ukrainian
french mi_test_all.res norwegian-ny
german my-huge.cnf polish
[root@koreasecurity mysql]#
---------------------------------------------------------------------------
|
¿ª½Ã /usr/share ¸¦ ¿È°Ü³õÀº°ÍÀ¸·Î °øÀ¯ÆÄÀϵéÀÌ µé¾î ÀÖ´Â µð·ºÅ丮ÁÒ. mysql¿¡ °ü·ÃµÈ °øÀ¯ÆÄÀϵ鵵 ÀÖ±º¿ä. ¿È°ÜÁÖ½Ã¸é µÇ°Ú³×¿ä.
---------------------------------------------------------------------------
[root@koreasecurity mysql]# cd ..
[root@koreasecurity share]# cd ..
[root@koreasecurity usr]# cd local
[root@koreasecurity local]# ls
apache bin etc include k_sec lib mysql share
[root@koreasecurity local]# pwd
/chroot/usr/local
[root@koreasecurity local]#
---------------------------------------------------------------------------
|
usr/local ¿¡´Â ¾ê±âÇÞµíÀÌ ±âº»¼³Ä¡ÇÑ /usr/local/apache µð·ºÅ丮¿Í mysqlµð·ºÅ丮 ÀÚü¸¦ ÀÌ°÷¿¡ º¹»çÇßÀ¸¸ç, bin ¿ª½Ã ±×·¸½À´Ï´Ù. ³ª¸ÓÁöµµ º¹»ç¸¦ Çߴµ¥, µð·ºÅ丮¸¦ »ìÆ캸¸é ¾Æ·¡¿Í °°½À´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity local]# cd etc
[root@koreasecurity etc]# ls
pear.conf
[root@koreasecurity etc]#
[root@koreasecurity etc]# cd ..
[root@koreasecurity local]# cd include
[root@koreasecurity include]# ls
php
[root@koreasecurity include]# cd php
[root@koreasecurity php]# ls
TSRM Zend acconfig.h ext main regex
[root@koreasecurity php]#
[root@koreasecurity php]# cd ..
[root@koreasecurity include]# cd ..
[root@koreasecurity local]# cd lib
[root@koreasecurity lib]# ls
php
[root@koreasecurity lib]# cd php
[root@koreasecurity php]# ls
Archive DB.php Mail.php PEAR XML doc test
Console HTTP.php Net PEAR.php build extensions
DB Mail OS System.php data pearcmd.php
[root@koreasecurity php]# cd ..
[root@koreasecurity lib]# cd ..
[root@koreasecurity local]# pwd
/chroot/usr/local
[root@koreasecurity local]# cd share
[root@koreasecurity share]# pwd
/chroot/usr/local/share
[root@koreasecurity share]# ls
info man
[root@koreasecurity share]# cd ..
[root@koreasecurity local]# cd ..
[root@koreasecurity usr]#
---------------------------------------------------------------------------
|
ÀÌ·¸°Ô ¿ª½Ã ¿È°Ü³õÀº°ÍÀÔ´Ï´Ù. ÀüºÎ APM ¿¡ ±¸µ¿¿¡ ÇÊ¿äÇÑ ÆÄÀϵéÀÌ´Ï.. ±×´ë·Î ¼³Ä¡µÈ °æ·Î¿¡ ¸ÂÃç¼ ¿È°ÜÁØ°ÍÀÌÁÒ. /chroot ¸¦ / ¶ó°í »ý°¢ÇÏ°í.. ÀÌÇصǽÃÁÒ~
¤¾¤¾ ÇÑÀå ³Ñ±â±â µÅ°Ô Èûµå³×¿ä.. ´ÙÀ½ÀåÀ¸·Î ..
chroot ·Î /chroot -> / ·Î Çؼ ÁøÀÔÇßÀ»¶§, »ç¿ëµÇ´Â ½ÇÇàÆÄÀϵéÀ» ÀÛµ¿ÇÏ·Á´Âµ¥ ¿À·ù°¡ ³´Ù°í¿ä? ¶óÀ̺귯¸®°¡ ¾ø´Ù´ÂµÕ.. ±×·±½ÄÀÇ ¿µ¹®À¸·ÎµÈ ¿À·ù°¡ ³ªÁÒ. ±×·²¶© ¶óÀ̺귯¸® ÆÄÀϵéÀÌ °¡ÃâÀ» ÇÑ°ÍÀÌ¶ó º¸¸éµË´Ï´Ù.
Ex) °¡ÃâÇÑ ÀڽĶ§¹®¿¡ °¡Á·µéÀÌ ½ÄŹ¿¡ µÑ·¯¾É¾Æ ¸ÀÀÖ´Â Àú³á½Ä»ç¸¦ ÇÏÁö ¸øÇÏ°í °ÆÁ¤ÇÏ°í ÀÖ´Â »óÅÂÀΰÅÁÒ. (°¡Á·=½ÇÇàÆÄÀÏ, ÀÚ½Ä=¶óÀ̺귯¸®ÆÄÀÏ)
±×·¯¸é ¾î¶»°Ô ¶óÀ̺귯¸® ÆÄÀϵé.. ÀڽĵéÀ» ¾Ë¾Æº¸°í, Ȩ±×¶ó¿îµå(Áý¾È)À¸·Î µ¥·Á¿À´À³Ä? Áï /lib À̳ª /usr/lib ¾È¿¡ ¾î¶² ÆÄÀϵéÀÌ ÁøÁ¤ /chroot/lib ¾ÈÀ¸·Î ¿È°Ü¿Í¾ß ÇÏ´À³Ä?? ±×°ÍÀÌ ¹®Á¦ÁÒ.. °£´ÜÇÕ´Ï´Ù.
ldd(¿¤µðµð)¶ó´Â ÅøÀÌ ÀÖ½À´Ï´Ù.
ÀÌ·¸°Ô »ç¿ëÇϴµ¥, ÆÄÀÏÀÌ »ç¿ëÇÏ´Â ¶óÀ̺귯¸® ÆÄÀÏÀÇ °æ·Î¸¦ ¸ðµÎ º¸¿©ÁÝ´Ï´Ù. ±×·¯´Ï º¹»çÇØÁÖ½Ã¸é µÇ°ÚÁÒ? ÇÊ¿ä¿¡ µû¶ó..(Á¶±Ý ±ÍÂú±ä ÇÕ´Ï´Ù)
---------------------------------------------------------------------------
[root@koreasecurity /]# ldd /bin/bash
libtermcap.so.2 => /lib/libtermcap.so.2 (0x0012a000)
libdl.so.2 => /lib/libdl.so.2 (0x0012f000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/ls
libtermcap.so.2 => /lib/libtermcap.so.2 (0x0012a000)
libacl.so.1 => /lib/libacl.so.1 (0x0012f000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libattr.so.1 => /lib/libattr.so.1 (0x00135000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/cp
libacl.so.1 => /lib/libacl.so.1 (0x0012a000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libattr.so.1 => /lib/libattr.so.1 (0x00131000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/rm
libacl.so.1 => /lib/libacl.so.1 (0x0012a000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libattr.so.1 => /lib/libattr.so.1 (0x00131000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/uname
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]#
---------------------------------------------------------------------------
|
¾ðµå ½ºÅĵå?
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
|
ÀÌÁÙÀ» º¸¸é /lib/i686/libc.so.6 ÀÌ °æ·Î¿¡ ÀÖ´Â ¶óÀ̺귯¸® ÆÄÀÏÀÌ ÇÊ¿äÇϴٴ°ÅÁÒ. ±×·¯¸é, cp /lib/i686/libc.so.6 /chroot/lib ÇØÁֽøé, °ÔÀÓ ¿À¹ö µÇ°ÚÁÒ? °¡ÃâÇÑ ¶óÀ̺귯¸®(ÀÚ½Ä)µéÀ» Çϳª¾¿ ÁýÀ¸·Î µ¥·Á¿À´Â ÀÛ¾÷ÀÌ¾ß ¸»·Î, ÀÌ °Àǹ®ÀÇ ÇÙ½ÉÀ̶ó°í ÇÒ¼öÀÖ°ÚÁÒ..
ÀÌÁ¦ ¸ðµç°ÍÀº ³¡³µ½À´Ï´Ù.
ÀÌÁ¦ chroot ¾È¿¡ ¼³Ä¡ÇÑ °¢Á¾¼¹öµéÀ» ±¸µ¿Çغ¸´Â ½Ã°£ÀÔ´Ï´Ù.
°£´ÜÈ÷ ÇÒ¼ö ÀÖ½À´Ï´Ù. ±¸µ¿Áß¿¡ ¿À·ù°¡ ³ª´Â °æ¿ìµµ ÀÖÀ»°ÍÀÔ´Ï´Ù. ±×·±°æ¿ì¿¡´Â ¼¹ö°ü·Ã ¸Þ´º¾óÀ» ÂüÁ¶ÇϽþî, ÇØ°áÇÏ½Ã±æ ¹Ù¶ø´Ï´Ù.
¾ÆÆÄÄ¡ ±¸µ¿ÆÄÀÏ : /chroot/usr/local/apache/bin/apachectl
MySQL ±¸µ¿ÆÄÀÏ : /chroot/usr/local/mysql/bin/safe_mysqld
|
ÀÌ·¸°Ô µÇÁÒ?
±×·¯³ª chroot ·Î /chroot -> / ·Î º¯È¯ÇÏ°í ³ª¸é..
¾ÆÆÄÄ¡ ±¸µ¿ÆÄÀÏ : /usr/local/apache/bin/apachectl
MySQL ±¸µ¿ÆÄÀÏ : /usr/local/mysql/bin/safe_mysqld
|
ÀÌ·± °æ·Î°¡ µÇÁÒ? ±×·³ °£´ÜÇÕ´Ï´Ù.
vi ÆíÁý±â·Î /etc/rc.local ÆÄÀÏÀ» ¿¾î¼ ¾Æ·¡µÎÁÙÀ» Ãß°¡ÇÕ´Ï´Ù.
chroot /chroot /usr/local/apache/bin/apachectl start
chroot /chroot /usr/local/mysql/bin/safe_mysqld &
|
ÀÌ·¸°Ô ÇÏ°í ÀúÀåÇѵÚ, ½Ã½ºÅÛÀ» Àç°¡µ¿ÇϸéµË´Ï´Ù. ±×·¯¸é Àç°¡µ¿ÇÒ¶§ À§ÀÇ ¸í·ÉÇàµéÀÌ ½ÇÇàµÇ°í.. /chroot µð·ºÅ丮·Î »óÀ§µð·ºÅ丮°¡ º¯È¯µÈµÚ ¾ÆÆÄÄ¡À¥¼¹ö¸¦ °¡µ¿ÇÏ°í mysql µ¥¸ó¿ª½Ã °¡µ¿½Ãŵ´Ï´Ù. ±×¸®°í ±× ¾È¿¡ ÀÖ´Â°Ô ¾Æ´Ï¶ó.. Àú µÎ°¡Áö ÀÛµ¿µÈ ÇÁ·Î¼¼½ºµé¸¸ /chroot ¸¦ / ¶ó°í Âø°¢ÇÏ°í ÀÛµ¿ÇÏ°Ô µÇ´Â °ÍÀÔ´Ï´Ù. ?-.- ¹Ùº¸µÇ´Â°ÅÁÒ..(babo)
ÀÌ°ÍÀ¸·Î ±¸µ¿µµ ¾î·ÆÁö ¾Ê³×¿ä..
syslog ³ª ±×·±°Å¿¡ ´ëÇÑ°ÍÀº »ý·«Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù.
Á¤¸» ¾ÈÀüÇÑÁö ¸ð¸£½Ã°Ú´Ù°í¿ä? ÀϹÝÀûÀ¸·Î À¥À» ÅëÇؼ ¾î¶²½ÄÀ¸·Î Á¢±ÙÇϵçÁö ½Ã½ºÅÛ»óÀ¸·Î ħÅõÇϱâ À§Çؼ´Â À¥°èÁ¤(www)·Î ½©»ó¿¡ ¸í·É¾î¸¦ ½ÇÇàÇÏ·Á ÇÒ°ÍÀÔ´Ï´Ù. ±×·¸´Ù¸é.. ÀÌ Ä§ÅõÇÑ ÇØÄ¿µéÀ̳ª ȤÀº PTµéÀÌ..
¶ó°í ¸í·ÉÀ» ÁÖ¸é ¾î¶»°Ô µÉ±î¿ä? ½ÇÁ¦ /etc/passwd ÀÌ º¸¿©Áú±î¿ä? ¾Æ´Ï¸é /chroot/etc/passwd °¡ º¸¿©Áú±î¿ä?
´ç¿¬ÇÏÁÒ.. ÈÄÀÚÀÔ´Ï´Ù. ¾ÆÆÄÄ¡À¥¼¹ö´Â /chroot ¸¦ / ·Î »ý°¢ÇÏ°í ÀÛµ¿ÁßÀ̱⠶§¹®ÀÔ´Ï´Ù. ±×·¡¼ Áß¿äÇÑ °èÁ¤µéÀÇ ¸ñ·ÏÀº µå·¯³ªÁö ¾Ê°ÔµË´Ï´Ù.
¶Ç ¿½ÉÈ÷ ³ë·Â(??ÇØÅ·)Çؼ /etc/shadow ÆÄÀÏÀ» ¾òÀºµé.. ¾Æ¹«¼Ò¿ëÀÌ ¾ø½À´Ï´Ù.
¿Ö³Ä? ½ÇÁ¦·Î ¾ò´Â°Ç /chroot/etc/shadow À̱⿡...ÈæÈæ..
¿ª½Ã Áß¿äÇÑ µ¥ÀÌŸ´Â À̾ȿ¡ µÎÁö ¾ÊÀ»°ÍÀ̱⠶§¹®¿¡, chroot ¸¦ ±ú´Â ±â¹ýÀ̳ª,mysql µ¥ÀÌŸº£À̽º¿¡ ½Ã½ºÅÛ»óÀÇ root °èÁ¤ ºñ¹Ð¹øÈ£¸¦ ³²±âÁö ¾Ê´ÂÇÑÀº ¾Æ¹«·± È¿¿ëÀÌ ¾ø¾îÁú°ÍÀÔ´Ï´Ù.
ÀÌÁ¦ ¾î´ÀÁ¤µµ ¾ÈÀüÇÏ´Ù°í º¼¼ö ÀÖ°ÚÁÒ? ( ¼¹ö°¡ root ±ÇÇÑÀ¸·Î ÀÛµ¿Çϰųª, suid ¹ö±×°¡ ÀÖ´Â ÆÄÀÏÀÌ chroot µð·ºÅ丮 ¾È¿¡ ¾ø´Ù´Â °¡Á¤ )
ÀÌ ¹æ¹ýÀ¸·Î À¥À» °¡µÎ´Â°ÍÀ» chroot jail ±â¹ýÀ̶ó°í ºÎ¸£±âµµ ÇÕ´Ï´Ù.
¿ÏÀüÇÏÁö´Â ¾ÊÁö¸¸, Àß °ü¸®ÇÑ´Ù¸é ´ëºÎºÐÀÇ ¾î¸®¼®°í ÁغñµéµÈ ÇØÄ¿µéÀÇ Àå³À¸·Î
ºÎÅÍ´Â ¿ÏÀüÈ÷ º¸È£µÉ¼ö ÀÖÀ»°Å¶ó Àå´ãÇÕ´Ï´Ù.
ÀÌ ¹®¼ÀÇ ÇÙ½ÉÀº ÀÌ°Í¿¡ Àִ°ÍÀÌÁÒ. "½Ã½ºÅÛÁ¤º¸º¸È£"
1 November 2003, DocBook Edit by pibonazi (at) hotmail.com : 3 November 2003
º» ¹®¼¿¡ ´ëÇÑ ÀúÀÛ±ÇÀº ¸í½ÃµÈ ÀÛ¼ºÀÚ¿¡°Ô ÀÖ½À´Ï´Ù. ¹®¼¿¡ ´ëÇÑ ¹èÆ÷´Â ¸ðµÎ Çã¿ëÇϸç, ³»¿ëÀÇ Á¤Á¤ÀÌ ÇÊ¿äÇÒ¶§´Â Çã¶ôÀ» ¸ÃÀ¸¼Å¾ß ÇÕ´Ï´Ù. ÀÓÀÇ·Î ¼öÁ¤ÇÏ¿© ¹®¼¸¦ ¹èÆ÷½Ã¿¡´Â ÀúÀ۱ǹý¿¡ µû¶ó ó¹ú ¹Þ½À´Ï´Ù. ¿ÀŸ³ª À߸øµÈ ºÎºÐÀº ¼öÁ¤À» ÇÏÁö ¾ÊÀ»°ÍÀ̸ç, Plat ¹®¼·Î ³²±â°í ½Í½À´Ï´Ù. Àß º¸½Ã°í, chroot ·Î ¾ÈÀüÇÑ ¼¹ö¸¦ ±¸ÃàÇϼ¼¿ä
ÈÀÌÆÃ~ :=).
Chroot ¶ó´Â°ÍÀº ¸»ÀÌ ÇÊ¿ä¾ø½À´Ï´Ù. Àú´Â °³ÀÎÀûÀ¸·Î Change Root ¶ó°í ºÎ¸¨´Ï´Ù. ÃÖ»óÀ§µð·ºÅ丮¸¦ Àӽà ±³Ã¼Çϴ°ÍÀÔ´Ï´Ù. Áï.. ¸ÇÆäÀÌÁö¿¡´Â¾Æ·¡Ã³·³ ³ª¿Í ÀÖ½À´Ï´Ù.
NAME
chroot - run command or interactive shell with special root directory
|
Áï, ¸®´ª½º ½Ã½ºÅÛÀÇ ÃÖ»óÀ§µð·ºÅ丮´Â / ÀÔ´Ï´Ù. ±×·¯³ª /chroot¶ó´Â µð·ºÅ丮¸¦ Çϳª »ý¼ºÇÑµÚ ±× µð·ºÅ丮¸¦ ÃÖ»óÀ§ µð·ºÅ丮·Î ÀüȯÇÒ¼ö°¡ ÀÖ½À´Ï´Ù. ±×°ÍÀÌ Chroot À̸ç, glibc ¶óÀ̺귯¸®·Î chroot ¶ó´Â C¾ð¾î ÇÔ¼ö¸¦ Á¦°øÇÕ´Ï´Ù. ÀÌ ÇÔ¼ö¸¦ ÀÌ¿ëÇؼ ¸¸µé¾îÁø°ÍÀÌ chroot ¹ÙÀ̳ʸ® ÀÔ´Ï´Ù.
---------------------------------------------------------------------------
[root@localhost root]# ls -al /usr/sbin/chroot
-rwxr-xr-x 1 root root 11232 2¿ù 19 2003 /usr/sbin/chroot
[root@localhost root]#
---------------------------------------------------------------------------
|
±×·¯³ª, ¾Æ¹«µð·ºÅ丮³ª ÁöÁ¤ÇÏ°í ±³Ã¼ÇÏ·Á°í ÇÑ´Ù¸é ºÐ¸í ½ÇÆÐÇÒ°ÍÀÔ´Ï´Ù. ±× µð·ºÅ丮¾È¿¡´Â ÇÊ¿äÇÑ°ÍÀÌ Àִµ¥, ±âº»ÀûÀ¸·Î ½©ÆÄÀÏ°ú ½©ÀÌ ±¸µ¿Çϱ⿡ ÇÊ¿äÇÑ ¶óÀ̺귯¸®°¡ ¸ðµÎ ÀÖ¾î¾ßÇÕ´Ï´Ù. ±×¸®°í ÇÊ¿äÇÑ ¼³Á¤ÆÄÀϵ鵵 ³Ö¾îÁÖ¸é ÁÁ½À´Ï´Ù. Áï..
/chroot/bin
/chroot/etc
/chroot/lib
/chroot/usr
/chroot/tmp
/chroot/var
/chroot/dev
|
ÀÌ·± ½ÄÀ¸·Î µð·ºÅ丮¿Í ÇÊ¿äÇÑ ÆÄÀϵéÀ» À籸¼ºÇϴ°ÍÀÔ´Ï´Ù. ½ÇÁ¦ ¸®´ª½º »óÀ§µð·ºÅ丮ó·³ ¸»ÀÌÁÒ. ÀÌÇØÇϼ̽À´Ï±î?
bin ¾È¿¡´Â ¿ì¸®°¡ »ç¿ëÇÒ ¹Ù¿î½º½©(bash) µµ ÇÊ¿äÇÏ°í, chroot ¾È¿¡¼ »ç¿ëÇÒ ¹ÙÀ̳ʸ® ÆÄÀϵ鵵 ÇÊ¿äÇÏ°ÚÁÒ? À̸¦Å׸é ls , cp , mv , rm ,mkdir ....
etc ¾È¿¡´Â ¹¹.. chroot ¾È¿¡¼¸¸ »ç¿ëÇÒ º¹Á¦ÆÇ passwd , shadow , group
hosts .... ¸î¸î°³¸¸ ÀÖÀ¸¸é µÇ°ÙÁÒ?
lib ¾È¿¡¾ß ¸»ÇҰ͵µ ¾ø½À´Ï´Ù. chroot ·Î ÁøÀÔÇѵڿ¡ ÀÛµ¿ÇÒ ¹ÙÀ̳ʸ® ÆÄÀϵéÀÌ ÇÊ¿ä·ÎÇÏ´Â ¶óÀ̺귯¸®ÆÄÀÏÀº ¸ðµÎ ¿©±â¿¡ º¹»çÇØÁÖ¸é µË´Ï´Ù.
usr ¾È¿¡´Â /usr/local/apache ³ª /usr/local/mysql ¸¦ ¿ø·¡ÀÇ ½Ã½ºÅÛ¿¡ ¼³Ä¡µÈ
°æ·Î·Î ÇÒ°ÍÀ̱⠶§¹®¿¡ ³Áß¿¡ ¾ÆÆÄÄ¡³ª µ¥ÀÌŸº£À̽º¼¹ö ±¸µ¿¿¡ ÇÊ¿äÇÑ ÆÄÀÏÀ»
±×´ë·Î ¿È°ÜÁÖ¸é µÇ°ÚÁÒ? µð·ºÅ丮 ÀÚü..;;
tmp ¿¡´Â ÇÊ¿ä¾÷ÁÒ ¹¹..
var µµ º°°Ç ¾ø°í run µð·ºÅ丮³ª logs µð·ºÅ丮¸¦ ¸¸µé¾îÁÖ¸é µË´Ï´Ù.
¸¶Áö¸·À¸·Î dev °°Àº°æ¿ì´Â ÁÖ·Î ¾²ÀÌ´Â /dev/null(°ø¹éÀåÄ¡)¸¸ mknod ·Î ¸¸µé¾î
ÁÖ¸é µÇ°Ú½À´Ï´Ù.
±×·¯¸é ÀÌ°ÍÀ¸·Î chroot¿¡ ´ëÇÑ ÀÌÇظ¦ ¸¶ÃƽÀ´Ï´Ù. ¸¶Áö¸·À¸·Î À§¿¡¼ ¼Ò°³ÇÑ
chroot ¶ó´Â ¾¾¾ð¾î ÇÔ¼ö¿¡ ´ëÇÑ ¸ÇÆäÀÌÁöÀÇ ¸Þ´º¾óÀ» ¾à°£¸¸ º¼±î¿ä?
# man 2 chroot
---------------------------------------------------------------------------
CHROOT(2) ¸®´ª½º ÇÁ·Î±×·¡¸Ó ¸Þ´º¾ó CHROOT(2)
À̸§
chroot - ·çÆ® µð·ºÅ丮¸¦ ¹Ù²Û´Ù.
»ç¿ë¹ý
#include < unistd.h >
int chroot(const char *path);
---------------------------------------------------------------------------
#include< unistd.h >
main(){
int ret;
ret = chroot("/chroot");
if(ret==0) printf("chroot ÀÛµ¿ ¼º°ø\n");
else printf("chroot ÀÛµ¿ ½ÇÆÐ\n");
}
|
°£´ÜÈ÷ ÀÌ·± ¼Ò½º·Î °¡´ÉÇÏ°ÚÁÒ?
¹¹ ¼º°øÇÏ¸é ¸®ÅÏ°ªÀÌ 0 ÀÌ°í, ¾Æ´Ï¸é -1 À» ¸®ÅÏÇÑ´Ù°í Çϳ׿ä.. ¾¾¾ð¾î¸¦ ¾Æ½Ã´Â
ºÐÀÌ¸é ´Ù ¾Æ½ÇÅ×ÁÒ..
´ÙÀ½À¸·Î ³Ñ¾î°¡µµ·Ï ÇÏ°Ú½À´Ï´Ù.
APM(Apache Php Mysql)ÀÇ ¹À½¸»ÀÌÁÒ?
A = °ø°³¿ë ¾ÆÆÄÄ¡ À¥¼¹ö ( 80 Æ÷Æ®¸¦ »ç¿ë )
P = °ø°³¿ë PHP À¥ÇÁ·Î±×·¡¹Ö ¾ð¾î ( À¸·Î ±¸¼ºµÊ )
M = °ø°³¿ë MYSQL µ¥ÀÌŸº£À̽º ¼¹ö ( 3306 Æ÷Æ®¸¦ »ç¿ë )
|
ÀÌ·¸°Ô ¾ÆÆÄÄ¡À¥¼¹ö¸¦ ±â¹ÝÀ¸·Î PHP¾ð¾î°¡ ÀÛµ¿ÇÕ´Ï´Ù. ¾ÆÆÄÄ¡À¥¼¹ö¿¡ PHPÀÇ ¸ðµâÀÌ Å¾Àç µÇ´Â°ÍÀÌÁÒ. ±×¸®°í MYSQLÀº PHP ¼³Á¤½Ã¿¡ µð·ºÅ丮°¡ ÁÖ¾îÁö´Âµ¥ PHP ¸ðµâÀÌ MYSQL ¼¹ö¿¡ Äõ¸®(ÁúÀǹ®)¸¦ º¸³»¼, µ¥ÀÌŸº£À̽ºÀÇ Á¤º¸¸¦ ÁÖ°Å´Ï ¹Þ°Å´Ï ÇÏ¸é¼ À¥¼¹ö¿¡ Á¢¼ÓÇÑ À¥¹æ¹®ÀÚ¿¡°Ô ¾Ë¸Â°Ô Á¶¸®Çؼ º¸¿©ÁÖ°Ô µË´Ï´Ù.
ÀÌ·±½ÄÀ¸·Î ±¸¼ºµÈ°ÍÀº À¥»ó¿¡ http://µµ¸ÞÀÎ/file.php ȤÀº php3 µîÀ̳ª.. °æ¿ì¿¡ µû¶ó¼´Â htm html ±îÁöµµ PHP ½ºÅ©¸³Æ®´Â ÇüÅ·ΠÆÄÀÏ¿¡ »ðÀÔµÇ¾î¼ ÀÛµ¿Çϱ⵵ ÇÕ´Ï´Ù.
ÀÌ°ÍÀÌ ¾îµð¿¡ ÀÛµ¿ÇÏ´ÂÁö ¸ð¸£½Å´Ù¸é, ¿¹¸¦µéÁÒ?
À¥°Ô½ÃÆÇ, ȸ¿ø¼ºñ½º, ÀÚ·á½Ç, ¼îÇθô, ¸ÞÀϸµ¸®½ºÆ®, ¹æ¸í·Ï ... µîµîÀÇ À¥¾ÖÇø®ÄÉÀ̼ǵéÀÔ´Ï´Ù. ³×ƼÁðÀ̶ó¸é ÀÚÁÖ Á¢Çϴ°͵éÀÌÁÒ.
ÀÌÁ¦ APM ¿¡ ´ëÇÑ ÀÌÇظ¦ ÇϼÌÀ¸¸®¶ó ¹Ï½À´Ï´Ù. ¼³Ä¡¿¡ ´ëÇؼ´Â ¿©·¯°¡Áö ¼ö¾øÀÌ ¸¹Àº ¸Þ´º¾óÀÌ ÀÖÁö¸¸.. ÀÌ ¹®¼¿¡¼´Â ÁÖÁ¦¿¡ ÃÐÁ¡À» ¸ÂÃß±âÀ§Çؼ ¼¹ö¼³Ä¡°úÁ¤Àº ´ãÁö ¾Ê½À´Ï´Ù. ¼³Ä¡´Â °ü·Ã Ã¥ÀÚ³ª ´ÙÀ½¸µÅ©¿¡¼ Àо½Ã°í µû¶óÇϽñ⠹ٶø´Ï´Ù.
http://linux.co.kr/theme/pageview.html?ca=200101=28=apm=³ª¸¸ÀÇ%20À¥¼¹ö%20²Ù¹Ì±â ÀÌÁ¦ /usr/local/apache µð·ºÅ丮¿¡´Â ¾ÆÆÄÄ¡ À¥¼¹ö¸¦ ¼³Ä¡ÇÏ°í, /usr/local/mysql¿¡´Â ¸¶ÀÌ¿¡½ºÅ¥¿¤ µ¥ÀÌŸº£À̽º¸¦ ¼³Ä¡ÇÑ µð·ºÅ丮¶ó´Â °¡Á¤ÇÏ¿¡¼ ¹®¼¸¦ °è¼Ó
ÁøÇàÇÏ°Ú½À´Ï´Ù.
¿ì¸®ÀÇ À¯ÀüÀÚº¹Á¦±â¼úÀ» ½Ã¿¬Çغ¸¿´´ø 'º¹Á¦¾ç µ¹¸®' °¡ »ý°¢À̳ª¼ ŸÀÌƲÀ» Á¤Çߴµ¥ ±¦ÂúÀº°¡¿ä? BreakBreak(¾ÆÁÖ³ÇØÇѴܾî:¿Ü°è¾î-´ÚºÏ¿¡µðÅÍÁÖ:¿Ü°è¾î°¡ À§Å°À§Å°¿¡ ÀÔ·ÂÀÌ ¾ÈµË´Ï´Ù. -_-;) ..;;
ÀÌ Àå¿¡¼´Â ¹«¾ùÀ» ¾Ë¾Æº¸·Á°í µÇÁöµµ¾Ê´Â À¯¸Ó¸¦ ±¸»çÇϴ°¡? ÇϽÇÅÙµ¥¿ä.. °£´ÜÇÕ´Ï´Ù. ¾Æ±îÀü¿¡ chroot¿¡ ´ëÇؼ ¼³¸íµå·È´Ù½ÃÇÇ, µð·ºÅ丮³ª ÇÊ¿äÇÑ ÆÄÀϵéÀ» À籸¼ºÇϴ°ÍÀÔ´Ï´Ù. ¹¹ ±×°Í¿¡ ´ëÇؼ ¾î¶²¾î¶² °ÍµéÀ» À籸¼ºÇØÁÖ¾î¾ß ÇÏ´ÂÁö¿¡ ´ëÇؼ ´Ù·ïº¼°ÍÀÔ´Ï´Ù.
ÇÊÀÚ°¡ ¹®¼¾²´Â°Ô »õº®ÀÎÁö¶ó.. ´Ù½Ã ÇÏ·Á¸é ¹®¼¾²´Â ½Ã°£ÀÌ ²Ï³ª ±æ¾îÁú°Í °°¾Æ¼, ¹Ì¸® ±¸¼ºÇسõÀº ¼¹ö¿¡ Á¢¼ÓÇؼ ĸÃÄÇؼ ºÎºÐºÎºÐ ¼³¸íÇÏ°Ú½À´Ï´Ù.
¾çÇعٷ¡¿ä ..
---------------------------------------------------------------------------
[root@koreasecurity /]# ls -al / | grep chroot
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 chroot
[root@koreasecurity /]#
---------------------------------------------------------------------------
|
755 ·Î ±âº» ±ÇÇÑÀ¸·Î µÇ¾î ÀÖÁÒ? ·çÆ®¼ÒÀ¯ÀÚ·Î..
mkdir /chroot ·Î ¸¸µç°ÍÀÔ´Ï´Ù. ÀÌ µð·ºÅ丮¸¦ chroot ·Î »óÀ§µð·ºÅ丮·Î ÀüȯÇÒ°ÅÁÒ.. ÀÌÇصǽÃÁÒ?
±×·³ /chroot µð·ºÅ丮¾È¿¡ µé¾î°¡¼ ÇϳªÇϳª µÇ¤¾îº¼²²¿ä.
---------------------------------------------------------------------------
[root@koreasecurity /]# cd /chroot
[root@koreasecurity chroot]# ls
bin dev etc home lib lost+found root sbin tmp usr var
[root@koreasecurity chroot]# pwd
/chroot
[root@koreasecurity chroot]#
---------------------------------------------------------------------------
|
»óÀ§µð·ºÅ丮 ó·³ À籸¼ºµÇ¾î ÀÖÁÒ?
bin ºÎÅÍ »ìÆ캸ÁÒ.
---------------------------------------------------------------------------
[root@koreasecurity chroot]# cd bin
[root@koreasecurity bin]# ls
arch cut gawk ls rm touch
ash date gettext mkdir rmdir true
ash.static dd grep mknod rpm umount
awk df gtar mktemp rvi uname
basename dnsdomainname gunzip more rview unicode_start
bash doexec gzip mount sed unicode_stop
bash2 domainname hostname mt setfont unlink
bsh dumpkeys igawk mv setserial usleep
cat echo ipcalc netstat sh vi
chgrp ed kbd_mode nice sleep view
chmod egrep kill nisdomainname sort ypdomainname
chown env link pgawk stty zcat
cp ex ln ps sync
cpio false loadkeys pwd tar
csh fgrep login red tcsh
[root@koreasecurity bin]# pwd
/chroot/bin
[root@koreasecurity bin]#
---------------------------------------------------------------------------
|
º¸½Ã´Â ¹Ù¿Í °°ÀÌ /bin À» ¿È°Ü³õÀº°ÍÀÔ´Ï´Ù. ¿ø·¡´Â À¥¿¡¼ Á¢±ÙÇÏ´Â ¹æ¹®ÀÚµéÀº ÀÌ·± ¸í·É¾îµéÀ» º°·Î ¾µÀÏÀÌ ¾ø±â ¶§¹®¿¡, ¸î¸î°³¸¸ ³²°ÜµÎ°í Áö¿ì¼Åµµ µÇÁö¸¸, ¹ü¿ë¼ºÀ» À§Çؼ ±×³É µÎ¾ú½À´Ï´Ù. ÀÌ°÷¿¡ ÀÖ´Â ¹ÙÀ̳ʸ®ÆÄÀϵéÀº.. chroot ·Î º¯È¯µÇ¾î /chroot °¡ -> / °¡ µÉ¶§ ±×¼Ó¿¡¼ »ç¿ëµÉ ¹ÙÀ̳ʸ® ¸í·É¾î ÆÄÀϵéÀÌÁÒ.
´ÙÀ½Àº etc ¸¦ º¼±î¿ä?
---------------------------------------------------------------------------
[root@koreasecurity bin]# cd ..
[root@koreasecurity chroot]# cd etc
[root@koreasecurity etc]# pwd
/chroot/etc
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
¿©±â¿¡ ÀÖ´Â ÆÄÀϵéÀº /etc ¾È¿¡ Àִ°ÍÀ» ¸î°³ cp ¸í·ÉÀ¸·Î º¹»çÇÑ°ÍÀÔ´Ï´Ù. ÇϳªÇϳª ±â´ÉÀ» ¼³¸íÇغ¸°Ú½À´Ï´Ù.
group : ¸®´ª½º ½Ã½ºÅÛÀÇ À¯ÀúµéÀ» ¸ð¾Æ³õÀº ±×·ì¸ñ·ÏÀÌ ÀÖ´Â ÆÄÀÏ
hosts : ½Ã½ºÅÛ¿¡¼ ¾Ë°í Àִ ȣ½ºÆ®µéÀÇ ¾ÆÀÌÇÇÁÖ¼Ò/µµ¸ÞÀÎ/È£½ºÆ®¸íÀÇ ¸ñ·Ï ÆÄÀÏ
localtime : ·ÎÄÃÀÇ ½Ã°£À» °¡Áö´Â ÆÄÀÏÀΰ¡ º¾´Ï´Ù. (À߸𸣰ڱº¿ä blabla)
my.cnf : MYSQL ÀÇ ¼³Á¤ÆÄÀÏ(ÀÌ°ÍÀº /etc ¾È¿¡ ÀÖ´ø°ÍÀÌ ¾Æ´Õ´Ï´Ù. ¸¸µé¾îÁØ°Í)
nsswitch.conf : ³×ÀÓ¼¹ö½ºÀ§Ä¡ °ü·ÃµÈ ¼³Á¤ÆÄÀÏÀ̱º¿ä. (º°ÇÊ¿ä¾øÀ»µí)
passwd : ¸®´ª½ºÀÇ °èÁ¤Á¤º¸°¡ ÀÖ´Â ¸ñ·Ï ÆÄÀÏ
resolv.conf : ¸®´ª½º¹Ú½º°¡ »ç¿ëÇÒ ³×ÀÓ¼¹öµéÀÌ ÀûÇôÀÖ´Â ÆÄÀÏ
shadow : passwd ÆÄÀÏ¿¡ ±âÀçµÈ °èÁ¤µéÀÇ ¾ÏÈ£ÈµÈ Çؽúñ¹Ð¹øÈ£°¡ ÀÖ´Â ¸ñ·Ï ÆÄÀÏ
|
´ë·« ÀÌ·¸½À´Ï´Ù. ÀÌ ÆÄÀϵéÁß shadow ¸¸ Æ۹̼ÇÀ» 700 À¸·Î ÁÖ°í ³ª¸ÓÁö´Â ¸ðµÎ Àбâ±ÇÇÑÀ» ¿ÀÇÂµÈ »óÅ·ΠµÎ½Ã¸éµË´Ï´Ù. ¾Æ·¡ ó·³..
---------------------------------------------------------------------------
[root@koreasecurity etc]# ls -al *
-rw-r--r-- 1 root root 53 10¿ù 28 20:20 group
-rw-r--r-- 1 root root 147 10¿ù 28 16:46 hosts
-rw-r--r-- 1 root root 152 10¿ù 28 16:46 localtime
-rw-r--r-- 1 root root 218 10¿ù 29 00:13 my.cnf
-rw-r--r-- 1 root root 1750 10¿ù 28 16:46 nsswitch.conf
-rw-r--r-- 1 root root 130 10¿ù 28 20:19 passwd
-rw-r--r-- 1 root root 88 10¿ù 28 16:46 resolv.conf
-rw------- 1 root root 47 10¿ù 28 20:59 shadow
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
À§ ÆÄÀϵéÀ» º¹»çÇØ ¿À±âÀü¿¡ ¿ì¸®´Â ¸ÕÀú ÇؾßÇÒ ¸î°¡ÁöÀÏÀÌ ÀÖ½À´Ï´Ù.
www(À¥¼ºñ½º) °èÁ¤ ¸¸µé±â:
°èÁ¤À» ¸¸µå´Â ¸í·É¾î´Â ¾Æ·¡¿Í °°½À´Ï´Ù.
useradd -c "Apache Server" -u 80 -s /bin/bash -d /chroot/usr/local/apache/htdocs
|
ÀÌ·¸°Ô Çϸé uid 80 ¹øÈ£¸¦ °¡Áø /bin/bash(½ÇÁ¦·Î ¾²¿©Áú°ÍÀº /chroot/bin/bash)¸¦ °¡Áø °èÁ¤ÀÌ »ý¼ºµÇÁÒ. ½ÇÁ¦ ÀÎÁõü°è¿¡¼´Â chroot¾È¿¡ °èÁ¤Á¤º¸°¡ ÂüÁ¶µÇÁö´Â ¾ÊÁö¸¸ ÀÌ·¸°Ô º¹»çÇØÁÙ Çʿ伺ÀÌ Àֱ⿡ ¸¸µé¾îÁִ°̴ϴÙ.
±×¸®°í /chroot/etc ¾ÈÀ¸·Î º¹»ç¸¦ Çѵڿ¡.. ÇÊ¿äÇÑ °èÁ¤(root, www, mysql) ¸¸ ³²°Ü³õ°í passwd, shadow, group ÆÄÀÏÀÇ ¸ñ·Ï¿¡¼ Áö¿öÁÖ¾î¾ß ÇÕ´Ï´Ù. Áö¿ì´Â°ÍÀº vi ÆíÁý±â¸¦ ¿¾î¼ dd¸¦ µÎ¹ø´©¸£¸é ÇÑÁÙ¾¿ Áö¿öÁý´Ï´Ù.
±×·¯¸é Çѹø È®ÀÎÇغ¼±î¿ä?
---------------------------------------------------------------------------
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]# cat passwd
root:x:0:0:root:/root:/bin/bash
www:x:80:80:Apache Server:/usr/local/apache:/bin/bash
mysql:x:500:500::/usr/local/mysql:/bin/bash
[root@koreasecurity etc]# cat shadow
www:!!:12353::::::
mysql:!!:12353:0:99999:7:::
[root@koreasecurity etc]# cat group
root:x:0:root
wheel:x:10:root
www:x:80:
mysql:x:500:
[root@koreasecurity etc]# cat my.cnf
[mysqld]
user=root
datadir=/usr/local/mysql/data
socket=/tmp/mysql.sock
skip-innodb
[client]
user=root
socket=/tmp/mysql.sock
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/usr/local/mysql/data/mysqld.pid
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
¾î¶²°¡¿ä? shadow ÆÄÀϾȿ¡´Â rootÀÇ ¾ÏÈ£ÈµÈ ºñ¹Ð¹øÈ£°¡ µå·¯³ª±â ¶§¹®¿¡ Á¦°ÅÇØÁá½À´Ï´Ù. ±×·¯³ª ½ÇÁ¦ÀÇ /etc/shadow °¡ ¾Æ´Ï±â ¶§¹®¿¡ °ÆÁ¤ÇϽǰÍÀº ¾ø½À´Ï´Ù. ÀÌ°ÍÀ¸·Î ÆíÁýÀº ³¡³µ±º¿ä.
º¸¾ÈÀ» ¿øÇÑ´Ù¸é, ÀÌ ÆÄÀϵéÀÇ º¯Á¶¸¦ ¸·±âÀ§Çؼ ¸ðµç ÀÛ¾÷À» ¸¶Ä£µÚ¿¡ chattrÀ̶ó°í ÇÏ´Â ¸í·É¾î·Î½á ÆÄÀϵéÀ» Àá±ÅµÎ¸éµË´Ï´Ù. ¸ðµç ÆÄÀÏ ÀÛ¾÷À» Çѵڿ¡.. ±×·¸°Ô µÇ¸é ¾Æ·¡Ã³·³ chattr -i ¿É¼ÇÀ¸·Î Ç®Áö ¾Ê´ÂÇÑÀº ·çÆ®°èÁ¤À¸·Îµµ Áö¿ö
ÁöÁö ¾Ê½À´Ï´Ù. chattr Àº root °èÁ¤¸¸ »ç¿ëÇÒ¼ö ÀÖÁö¸¸.. ½ÇÁ¦ chroot ¾È¿¡´Â Àú ÆÄÀÏÀ» º¹»çÇØÁÖÁö ¾ÊÀ»°ÍÀ̹ǷÎ, ÇØÄ¿°¡ À¥À»ÅëÇØ Á¢±ÙÇؿ͵µ Áö¿ï¼ö ¾øÀ»
°ÍÀÔ´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]# chattr +i *
[root@koreasecurity etc]# rm -rf *
rm: cannot chdir from `.' to `group': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `hosts': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `localtime': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `my.cnf': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `nsswitch.conf': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `passwd': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `resolv.conf': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
rm: cannot chdir from `.' to `shadow': µð·ºÅ丮°¡ ¾Æ´Õ´Ï´Ù
[root@koreasecurity etc]# ls
group hosts localtime my.cnf nsswitch.conf passwd resolv.conf shadow
[root@koreasecurity etc]#
---------------------------------------------------------------------------
|
¾î¶²°¡¿ä? Çϳªµµ Áö¿öÁöÁö°¡ ¾ÊÁÒ?
ÀÌ°ÍÀ¸·Î
etc µµ ¸¶Ä¡°í, ´ÙÀ½À» »ìÆ캼±î¿ä..
---------------------------------------------------------------------------
[root@koreasecurity etc]# cd ..
[root@koreasecurity chroot]# cd dev
[root@koreasecurity dev]# ls -al
ÇÕ°è 12
drwxr-xr-x 2 root root 4096 10¿ù 28 21:45 .
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 ..
crw-rw-rw- 1 root root 1, 3 10¿ù 28 16:45 null
-rw-r--r-- 1 root root 16 10¿ù 30 05:10 tty
[root@koreasecurity dev]# pwd
/chroot/dev
[root@koreasecurity dev]#
---------------------------------------------------------------------------
|
dev ÀÔ´Ï´Ù. Device(ÀåÄ¡)µéÀÌ µé¾î°¡´Â°÷Àä. ±âº»ÀûÀ¸·Î ÇϳªÀÇ ÀåÄ¡¸¸ ¸¸µé¾îÁÖ¸é µË´Ï´Ù. ±×ÀåÄ¡´Â °ø¹éÀåÄ¡(null)ÀÔ´Ï´Ù. ÀÌ°ÍÀº /dev/null ¿¡ ÀÖ°í ±×³É º¹»ç¸¦ ÇØÁÖ´Â°Ô ¾Æ´Ï¶ó ÀåÄ¡À̱⠶§¹®¿¡ mknod ¶ó´Â°ÍÀ¸·Î »ý¼ºÇØÁÖ¾î¾ß ÇÕ´Ï´Ù.
»ç¿ë¹ýÀº °£´ÜÇÕ´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity dev]# ls -al /dev/null
crw-rw-rw- 1 root root 1, 3 8¿ù 31 2002 /dev/null
[root@koreasecurity dev]#
---------------------------------------------------------------------------
|
º¸½Ã¸é ¾Æ½Ã°ÚÁö¸¸, Àú±â °¡¿îµ¥ (1, 3) À̶ó°í µÇ¾î ÀÖ½À´Ï´Ù.
ÀÌ ¼ýÀÚ¸¦ º¸°í ±×´ë·Î »ç¿ëÇØÁÖ¸é µË´Ï´Ù. (blabla)
---------------------------------------------------------------------------
[root@koreasecurity dev]# rm -rf null
[root@koreasecurity dev]# ls
tty
[root@koreasecurity dev]# mknod null 1 3
mknod: ÀμöÀÇ °³¼ö°¡ À߸øµÇ¾ú½À´Ï´Ù
´õ ¸¹Àº Á¤º¸¸¦ ¾òÀ¸·¯¸é `mknod --help'¸í·ÉÀ» ÇϽʽÿÀ.
[root@koreasecurity dev]# mknod null c 1 3
[root@koreasecurity dev]# ls
null tty
[root@koreasecurity dev]# ls -al
ÇÕ°è 12
drwxr-xr-x 2 root root 4096 11¿ù 1 02:37 .
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 ..
crw-r--r-- 1 root root 1, 3 11¿ù 1 02:37 null
-rw-r--r-- 1 root root 16 10¿ù 30 05:10 tty
[root@koreasecurity dev]#
---------------------------------------------------------------------------
|
Àμö°¡ 3°³À̱º¿ä. ¾Õ¿¡ c ºñÆ®°¡ ºÙ¾î ÀÖÁÒ? ±×°Íµµ º¸°í Àû¾îÁØ°ÅÁÒ
ÀÌ·¸°Ô Çؼ ³Î ÀåÄ¡µµ »ý¼ºµÇ¾ú½À´Ï´Ù. tty ¶ó´Â ÀåÄ¡´Â ÀϺη¯ »ý¼ºÇØÁÖÁö ¾Ê¾Æµµ, chroot ·Î ·Î±×ÀÎÇÏ¸é »ý¼ºµÇ°Ô µÇ¾î ÀÖ½À´Ï´Ù.
´ÙÀ½À¸·Î..
---------------------------------------------------------------------------
[root@koreasecurity dev]# cd ..
[root@koreasecurity chroot]# cd home
[root@koreasecurity home]# ls
[root@koreasecurity home]# ls -al
ÇÕ°è 8
drwxr-xr-x 2 root root 4096 10¿ù 28 16:35 .
drwxr-xr-x 13 root root 4096 10¿ù 28 19:32 ..
[root@koreasecurity home]#
---------------------------------------------------------------------------
|
Ȩµð·ºÅ丮´Â ½ÇÁ¦ °èÁ¤¼ºñ½º¸¦ ÀÌ chroot ¾È¿¡¼ ÇÏÁö ¾ÊÀ»°ÍÀ̱⠶§¹®¿¡ ±¸Áö ÇÊ¿ä°¡ ¾ø°Ú³×¿ä(ÀÌ µð·ºÅ丮´Â Áö¿ì¼Åµµ ¹«°ü..)
´ÙÀ½Àº ¸¹Àº ¶óÀ̺귯¸® ÆÄÀϵéÀÌ ¸ðÀÎ µð·ºÅ丮±º¿ä..
---------------------------------------------------------------------------
[root@koreasecurity home]# cd ..
[root@koreasecurity chroot]# rmdir home
[root@koreasecurity chroot]# cd lib
[root@koreasecurity lib]# ls
ld-linux.so.2 libnss1_files-2.2.93.so libnss_ldap.so.2
libacl.so.1 libnss1_files.so.1 libnss_nis-2.2.93.so
libattr.so.1 libnss1_nis-2.2.93.so libnss_nis.so.1
libc.so.6 libnss1_nis.so.1 libnss_nis.so.2
libcrypt.so.1 libnss_compat-2.2.93.so libnss_nisplus-2.2.93.so
libdl.so.2 libnss_compat.so.1 libnss_nisplus.so.2
libexpat.so.0 libnss_compat.so.2 libpam.so.0
libexpat.so.0.3.0 libnss_dns-2.2.93.so libpam_misc.so.0
libgcc_s.so.1 libnss_dns.so.1 libproc.so.2.0.7
libm.so.6 libnss_dns.so.2 libpthread.so.0
libncurses.so.5 libnss_files-2.2.93.so libresolv.so.2
libnsl.so.1 libnss_files.so.1 librt.so.1
libnss1_compat-2.2.93.so libnss_files.so.2 libstdc++.so.5
libnss1_compat.so.1 libnss_hesiod-2.2.93.so libtermcap.so.2
libnss1_dns-2.2.93.so libnss_hesiod.so.2 libz.so.1
libnss1_dns.so.1 libnss_ldap-2.2.90.so
[root@koreasecurity lib]#
---------------------------------------------------------------------------
|
¸³(¶óÀ̺귯¸®) µð·ºÅ丮´Â chroot ¾È¿¡¼ ÀÛµ¿ÇÏ´Â ¸ðµç ¹ÙÀ̳ʸ®ÆÄÀϵéÀÌ ÀÛµ¿Çϱâ À§Çؼ ÀÇÁ¸ÇÏ´Â ¶óÀ̺귯¸®¸¦ º¹»çÇصаÍÀÔ´Ï´Ù. ÀÌ ¶óÀ̺귯¸® ÆÄÀϵéÀ» ¹«¾ùÀÌ ÇÊ¿äÇÑÁö ¾Ë¼ö Àִ°¡ Çϴ°ÍÀº ´ÙÀ½Àå¿¡¼ ´Ù·ê°ÍÀÔ´Ï´Ù. (from.Áý³ª°£ ¶óÀ̺귯¸®Æí¿¡¼..ÇìÇì)
lost+found µð·ºÅ丮´Â ½ÇÁ¦ ÇÊ¿ä°¡ ¾øÁö¸¸ ¸¸µé¾îÁØ°ÍÀÔ´Ï´Ù.(blabla)
root µð·ºÅ丮´Â /root ¸¦ ¸ð¹æÇÑ°ÍÀ¸·Î, ¾ø¾îµµ ¹«°üÇÏÁö¸¸ chroot ¶ó´Â°ÍÀ» ÇØÄ¿¿¡°Ô ½±°Ô µå·¯³ªÁö ¾Ê°Ô ÇÏ·Á´Â ±¸¼ºÀÔ´Ï´Ù. ÇÊ¿äÇÏ´Ù¸é ¸¸µå¼¼¿ä.
sbin µð·ºÅ丮µµ /bin°ú ¸¶Âù°¡Áö·Î ÇÊ¿äÇÑ ÅøµéÀ» º¹»çÇߴµ¥¿ä. ±ÍÂúÀ¸½Ã¸é cp -R /sbin /chroot ÇϽøéµË´Ï´Ù. Åë°·Î º¹»ç¸¦..
´ÙÀ½À¸·Î tmp µð·ºÅ丮´Â ÀÓ½ÃÆÄÀϵéÀ» ÀÛ¾÷ÇÏ´Â µð·ºÅ丮Àε¥, ÀÌ°ÍÀº ±×³É ¸¸µé¾î ÁÖ½Ã¸é µË´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity chroot]# ls -al | grep tmp
drwxrwxrwt 2 root root 4096 11¿ù 1 01:47 tmp
[root@koreasecurity chroot]# cd tmp
[root@koreasecurity tmp]# ls
mysql.sock
[root@koreasecurity tmp]#
---------------------------------------------------------------------------
|
µð·ºÅ丮¸¦ mkdir tmp ·Î ¸¸µçµÚ¿¡ chmod 1777 tmp ·Î½á ±ÇÇÑÀ» ÁÝ´Ï´Ù. ¿©±â¼ 1 Àº ³¡¿¡ ºÙÀº t(temp) ºñÆ®À̸ç, 777Àº rwxrwxrwx ÀÔ´Ï´Ù. rwxrwxrwx ·Î ±ÇÇÑÀ» ÁÖÁö ¾ÊÀ¸¸é, mysql ÀÇ Àӽà ¼ÒÄÏÆÄÀÏÀÎ mysql.sock ÆÄÀÏÀÌ Á¦´ë·Î »ý¼ºµÇÁö ¾Ê¾Æ À¥¼¹ö¸¦ ±¸µ¿½Ã ¿À·ù¸¦ ³»¹Ç·Î, ±ÇÇÑÀ» Á¦´ë·Î ÁֽʽÿÀ.
¾Æ..µð·ºÅ丮°¡ Âü ¸¹±º¿ä. (¼³¸íÇϱâ Èûµå³×¿ä..~_~)
usr µð·ºÅ丮´Â usr/local ¾È¿¡ apache ¶û mysql µîÀ̶û.. ÀÌ¿¡ ÇÊ¿äÇÑ ¶óÀ̺귯¸® ȤÀº include(Çìµå)ÆÄÀϵé°ú usr/bin ÆÄÀϵéÀÌ ¿È°ÜÁú µð·ºÅ丮¿¡¿ä.
»ìÆ캼±î¿ä ? ÁýÁßÇϼ¼¿ä ..
---------------------------------------------------------------------------
[root@koreasecurity tmp]# cd ..
[root@koreasecurity chroot]# cd usr
[root@koreasecurity usr]# ls
bin include lib local sbin share
[root@koreasecurity usr]#
---------------------------------------------------------------------------
|
bin : usr/bin À» ±×´ë·Î º¹»çÇØÁØ°ÍÀÔ´Ï´Ù.
include :
---------------------------------------------------------------------------
[root@koreasecurity usr]# pwd
/chroot/usr
[root@koreasecurity usr]# cd include
[root@koreasecurity include]# ls
mysql
[root@koreasecurity include]# cd mysql
[root@koreasecurity mysql]# ls
chardefs.h m_ctype.h my_net.h mysql_com.h sslopt-case.h
dbug.h m_string.h my_no_pthread.h mysql_version.h sslopt-longopts.h
errmsg.h my_config.h my_pthread.h mysqld_error.h sslopt-usage.h
history.h my_global.h my_sys.h raid.h sslopt-vars.h
keymaps.h my_list.h mysql.h readline.h tilde.h
[root@koreasecurity mysql]#
---------------------------------------------------------------------------
|
ÀÌ include/mysql ¿¡´Â mysql ¼³Ä¡½Ã¿¡ ¸¸µé¾îÁø ÇìµåÆÄÀϵéÀ» ¿È°Ü³õÀº°ÍÀε¥.. ¿øº»Àº /usr/include/mysql ÀÌÁÒ.. ±×´ë·Î ¿È°Ü¿À½Ã¸é µË´Ï´Ù. ¿©±â ÀÖ´Â °ÍÀº ³Áß¿¡ mysql °ü·ÃÇؼ »ç¿ëÇÏ°Ô µÇ´Â ¾¾¾ð¾î ¼Ò½º¸¦ ÀÛ¼º½Ã¿¡ »ç¿ëÇÏ°Ô µÇ°ÚÁÒ
lib :
---------------------------------------------------------------------------
[root@koreasecurity usr]# cd lib
[root@koreasecurity lib]# ls
mysql
[root@koreasecurity lib]# cd mysql
[root@koreasecurity mysql]# ls
libdbug.a libmyisammrg.a libmysqlclient.so.10 libnisam.a
libheap.a libmysqlclient.a libmysqlclient.so.10.0.0
libmerge.a libmysqlclient.la libmystrings.a
libmyisam.a libmysqlclient.so libmysys.a
[root@koreasecurity mysql]#
---------------------------------------------------------------------------
|
mysql ¼³Ä¡½Ã¿¡ Æ÷ÇÔµÈ ÆÄÀϵéÀ» ¿È°Ü³õÀº°ÍÀε¥, mysql ÀÛµ¿¿¡ ÇÊ¿äÇÑ ¶óÀ̺귯¸® ÆÄÀϵéÀÔ´Ï´Ù. ¼³Ä¡½Ã¿¡ /usr/lib/mysql ¿¡ ÀÖ´ø°ÍÀε¥, ±×´ë·Î ¿È°ÜÁÖ½Ã¸é µË´Ï´Ù.
sbin : ÀÌ µð·ºÅ丮 ¿ª½Ã /usr/sbin À» ±×´ë·Î ¿È°ÜÁÖ½Ã¸é µË´Ï´Ù.
¸¶Áö¸·À¸·Î share ¸¦ »ìÆ캼±î¿ä..
---------------------------------------------------------------------------
[root@koreasecurity mysql]# cd ..
[root@koreasecurity include]# cd ..
[root@koreasecurity usr]# cd share
[root@koreasecurity share]# ls
man man1 man2 man3 man4 man5 man6 man7 man8 man9 mann mysql pt_BR
[root@koreasecurity share]# cd mysql
[root@koreasecurity mysql]# ls
binary-configure greek my-large.cnf portuguese
charsets hungarian my-medium.cnf romanian
czech italian my-small.cnf russian
danish japanese mysql-3.23.58.spec slovak
dutch korean mysql-log-rotate spanish
english make_binary_distribution mysql.server swedish
estonian mi_test_all norwegian ukrainian
french mi_test_all.res norwegian-ny
german my-huge.cnf polish
[root@koreasecurity mysql]#
---------------------------------------------------------------------------
|
¿ª½Ã /usr/share ¸¦ ¿È°Ü³õÀº°ÍÀ¸·Î °øÀ¯ÆÄÀϵéÀÌ µé¾î ÀÖ´Â µð·ºÅ丮ÁÒ. mysql¿¡ °ü·ÃµÈ °øÀ¯ÆÄÀϵ鵵 ÀÖ±º¿ä. ¿È°ÜÁÖ½Ã¸é µÇ°Ú³×¿ä.
---------------------------------------------------------------------------
[root@koreasecurity mysql]# cd ..
[root@koreasecurity share]# cd ..
[root@koreasecurity usr]# cd local
[root@koreasecurity local]# ls
apache bin etc include k_sec lib mysql share
[root@koreasecurity local]# pwd
/chroot/usr/local
[root@koreasecurity local]#
---------------------------------------------------------------------------
|
usr/local ¿¡´Â ¾ê±âÇÞµíÀÌ ±âº»¼³Ä¡ÇÑ /usr/local/apache µð·ºÅ丮¿Í mysqlµð·ºÅ丮 ÀÚü¸¦ ÀÌ°÷¿¡ º¹»çÇßÀ¸¸ç, bin ¿ª½Ã ±×·¸½À´Ï´Ù. ³ª¸ÓÁöµµ º¹»ç¸¦ Çߴµ¥, µð·ºÅ丮¸¦ »ìÆ캸¸é ¾Æ·¡¿Í °°½À´Ï´Ù.
---------------------------------------------------------------------------
[root@koreasecurity local]# cd etc
[root@koreasecurity etc]# ls
pear.conf
[root@koreasecurity etc]#
[root@koreasecurity etc]# cd ..
[root@koreasecurity local]# cd include
[root@koreasecurity include]# ls
php
[root@koreasecurity include]# cd php
[root@koreasecurity php]# ls
TSRM Zend acconfig.h ext main regex
[root@koreasecurity php]#
[root@koreasecurity php]# cd ..
[root@koreasecurity include]# cd ..
[root@koreasecurity local]# cd lib
[root@koreasecurity lib]# ls
php
[root@koreasecurity lib]# cd php
[root@koreasecurity php]# ls
Archive DB.php Mail.php PEAR XML doc test
Console HTTP.php Net PEAR.php build extensions
DB Mail OS System.php data pearcmd.php
[root@koreasecurity php]# cd ..
[root@koreasecurity lib]# cd ..
[root@koreasecurity local]# pwd
/chroot/usr/local
[root@koreasecurity local]# cd share
[root@koreasecurity share]# pwd
/chroot/usr/local/share
[root@koreasecurity share]# ls
info man
[root@koreasecurity share]# cd ..
[root@koreasecurity local]# cd ..
[root@koreasecurity usr]#
---------------------------------------------------------------------------
|
ÀÌ·¸°Ô ¿ª½Ã ¿È°Ü³õÀº°ÍÀÔ´Ï´Ù. ÀüºÎ APM ¿¡ ±¸µ¿¿¡ ÇÊ¿äÇÑ ÆÄÀϵéÀÌ´Ï.. ±×´ë·Î ¼³Ä¡µÈ °æ·Î¿¡ ¸ÂÃç¼ ¿È°ÜÁØ°ÍÀÌÁÒ. /chroot ¸¦ / ¶ó°í »ý°¢ÇÏ°í.. ÀÌÇصǽÃÁÒ~
¤¾¤¾ ÇÑÀå ³Ñ±â±â µÅ°Ô Èûµå³×¿ä.. ´ÙÀ½ÀåÀ¸·Î ..
chroot ·Î /chroot -> / ·Î Çؼ ÁøÀÔÇßÀ»¶§, »ç¿ëµÇ´Â ½ÇÇàÆÄÀϵéÀ» ÀÛµ¿ÇÏ·Á´Âµ¥ ¿À·ù°¡ ³´Ù°í¿ä? ¶óÀ̺귯¸®°¡ ¾ø´Ù´ÂµÕ.. ±×·±½ÄÀÇ ¿µ¹®À¸·ÎµÈ ¿À·ù°¡ ³ªÁÒ. ±×·²¶© ¶óÀ̺귯¸® ÆÄÀϵéÀÌ °¡ÃâÀ» ÇÑ°ÍÀÌ¶ó º¸¸éµË´Ï´Ù.
Ex) °¡ÃâÇÑ ÀڽĶ§¹®¿¡ °¡Á·µéÀÌ ½ÄŹ¿¡ µÑ·¯¾É¾Æ ¸ÀÀÖ´Â Àú³á½Ä»ç¸¦ ÇÏÁö ¸øÇÏ°í °ÆÁ¤ÇÏ°í ÀÖ´Â »óÅÂÀΰÅÁÒ. (°¡Á·=½ÇÇàÆÄÀÏ, ÀÚ½Ä=¶óÀ̺귯¸®ÆÄÀÏ)
±×·¯¸é ¾î¶»°Ô ¶óÀ̺귯¸® ÆÄÀϵé.. ÀڽĵéÀ» ¾Ë¾Æº¸°í, Ȩ±×¶ó¿îµå(Áý¾È)À¸·Î µ¥·Á¿À´À³Ä? Áï /lib À̳ª /usr/lib ¾È¿¡ ¾î¶² ÆÄÀϵéÀÌ ÁøÁ¤ /chroot/lib ¾ÈÀ¸·Î ¿È°Ü¿Í¾ß ÇÏ´À³Ä?? ±×°ÍÀÌ ¹®Á¦ÁÒ.. °£´ÜÇÕ´Ï´Ù.
ldd(¿¤µðµð)¶ó´Â ÅøÀÌ ÀÖ½À´Ï´Ù.
ÀÌ·¸°Ô »ç¿ëÇϴµ¥, ÆÄÀÏÀÌ »ç¿ëÇÏ´Â ¶óÀ̺귯¸® ÆÄÀÏÀÇ °æ·Î¸¦ ¸ðµÎ º¸¿©ÁÝ´Ï´Ù. ±×·¯´Ï º¹»çÇØÁÖ½Ã¸é µÇ°ÚÁÒ? ÇÊ¿ä¿¡ µû¶ó..(Á¶±Ý ±ÍÂú±ä ÇÕ´Ï´Ù)
---------------------------------------------------------------------------
[root@koreasecurity /]# ldd /bin/bash
libtermcap.so.2 => /lib/libtermcap.so.2 (0x0012a000)
libdl.so.2 => /lib/libdl.so.2 (0x0012f000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/ls
libtermcap.so.2 => /lib/libtermcap.so.2 (0x0012a000)
libacl.so.1 => /lib/libacl.so.1 (0x0012f000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libattr.so.1 => /lib/libattr.so.1 (0x00135000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/cp
libacl.so.1 => /lib/libacl.so.1 (0x0012a000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libattr.so.1 => /lib/libattr.so.1 (0x00131000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/rm
libacl.so.1 => /lib/libacl.so.1 (0x0012a000)
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
libattr.so.1 => /lib/libattr.so.1 (0x00131000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]# ldd /bin/uname
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00110000)
[root@koreasecurity /]#
---------------------------------------------------------------------------
|
¾ðµå ½ºÅĵå?
libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
|
ÀÌÁÙÀ» º¸¸é /lib/i686/libc.so.6 ÀÌ °æ·Î¿¡ ÀÖ´Â ¶óÀ̺귯¸® ÆÄÀÏÀÌ ÇÊ¿äÇϴٴ°ÅÁÒ. ±×·¯¸é, cp /lib/i686/libc.so.6 /chroot/lib ÇØÁֽøé, °ÔÀÓ ¿À¹ö µÇ°ÚÁÒ? °¡ÃâÇÑ ¶óÀ̺귯¸®(ÀÚ½Ä)µéÀ» Çϳª¾¿ ÁýÀ¸·Î µ¥·Á¿À´Â ÀÛ¾÷ÀÌ¾ß ¸»·Î, ÀÌ °Àǹ®ÀÇ ÇÙ½ÉÀ̶ó°í ÇÒ¼öÀÖ°ÚÁÒ..
ÀÌÁ¦ ¸ðµç°ÍÀº ³¡³µ½À´Ï´Ù.
ÀÌÁ¦ chroot ¾È¿¡ ¼³Ä¡ÇÑ °¢Á¾¼¹öµéÀ» ±¸µ¿Çغ¸´Â ½Ã°£ÀÔ´Ï´Ù.
°£´ÜÈ÷ ÇÒ¼ö ÀÖ½À´Ï´Ù. ±¸µ¿Áß¿¡ ¿À·ù°¡ ³ª´Â °æ¿ìµµ ÀÖÀ»°ÍÀÔ´Ï´Ù. ±×·±°æ¿ì¿¡´Â ¼¹ö°ü·Ã ¸Þ´º¾óÀ» ÂüÁ¶ÇϽþî, ÇØ°áÇÏ½Ã±æ ¹Ù¶ø´Ï´Ù.
¾ÆÆÄÄ¡ ±¸µ¿ÆÄÀÏ : /chroot/usr/local/apache/bin/apachectl
MySQL ±¸µ¿ÆÄÀÏ : /chroot/usr/local/mysql/bin/safe_mysqld
|
ÀÌ·¸°Ô µÇÁÒ?
±×·¯³ª chroot ·Î /chroot -> / ·Î º¯È¯ÇÏ°í ³ª¸é..
¾ÆÆÄÄ¡ ±¸µ¿ÆÄÀÏ : /usr/local/apache/bin/apachectl
MySQL ±¸µ¿ÆÄÀÏ : /usr/local/mysql/bin/safe_mysqld
|
ÀÌ·± °æ·Î°¡ µÇÁÒ? ±×·³ °£´ÜÇÕ´Ï´Ù.
vi ÆíÁý±â·Î /etc/rc.local ÆÄÀÏÀ» ¿¾î¼ ¾Æ·¡µÎÁÙÀ» Ãß°¡ÇÕ´Ï´Ù.
chroot /chroot /usr/local/apache/bin/apachectl start
chroot /chroot /usr/local/mysql/bin/safe_mysqld &
|
ÀÌ·¸°Ô ÇÏ°í ÀúÀåÇѵÚ, ½Ã½ºÅÛÀ» Àç°¡µ¿ÇϸéµË´Ï´Ù. ±×·¯¸é Àç°¡µ¿ÇÒ¶§ À§ÀÇ ¸í·ÉÇàµéÀÌ ½ÇÇàµÇ°í.. /chroot µð·ºÅ丮·Î »óÀ§µð·ºÅ丮°¡ º¯È¯µÈµÚ ¾ÆÆÄÄ¡À¥¼¹ö¸¦ °¡µ¿ÇÏ°í mysql µ¥¸ó¿ª½Ã °¡µ¿½Ãŵ´Ï´Ù. ±×¸®°í ±× ¾È¿¡ ÀÖ´Â°Ô ¾Æ´Ï¶ó.. Àú µÎ°¡Áö ÀÛµ¿µÈ ÇÁ·Î¼¼½ºµé¸¸ /chroot ¸¦ / ¶ó°í Âø°¢ÇÏ°í ÀÛµ¿ÇÏ°Ô µÇ´Â °ÍÀÔ´Ï´Ù. ?-.- ¹Ùº¸µÇ´Â°ÅÁÒ..(babo)
ÀÌ°ÍÀ¸·Î ±¸µ¿µµ ¾î·ÆÁö ¾Ê³×¿ä..
syslog ³ª ±×·±°Å¿¡ ´ëÇÑ°ÍÀº »ý·«Çϵµ·Ï ÇÏ°Ú½À´Ï´Ù.
Á¤¸» ¾ÈÀüÇÑÁö ¸ð¸£½Ã°Ú´Ù°í¿ä? ÀϹÝÀûÀ¸·Î À¥À» ÅëÇؼ ¾î¶²½ÄÀ¸·Î Á¢±ÙÇϵçÁö ½Ã½ºÅÛ»óÀ¸·Î ħÅõÇϱâ À§Çؼ´Â À¥°èÁ¤(www)·Î ½©»ó¿¡ ¸í·É¾î¸¦ ½ÇÇàÇÏ·Á ÇÒ°ÍÀÔ´Ï´Ù. ±×·¸´Ù¸é.. ÀÌ Ä§ÅõÇÑ ÇØÄ¿µéÀ̳ª ȤÀº PTµéÀÌ..
¶ó°í ¸í·ÉÀ» ÁÖ¸é ¾î¶»°Ô µÉ±î¿ä? ½ÇÁ¦ /etc/passwd ÀÌ º¸¿©Áú±î¿ä? ¾Æ´Ï¸é /chroot/etc/passwd °¡ º¸¿©Áú±î¿ä?
´ç¿¬ÇÏÁÒ.. ÈÄÀÚÀÔ´Ï´Ù. ¾ÆÆÄÄ¡À¥¼¹ö´Â /chroot ¸¦ / ·Î »ý°¢ÇÏ°í ÀÛµ¿ÁßÀ̱⠶§¹®ÀÔ´Ï´Ù. ±×·¡¼ Áß¿äÇÑ °èÁ¤µéÀÇ ¸ñ·ÏÀº µå·¯³ªÁö ¾Ê°ÔµË´Ï´Ù.
¶Ç ¿½ÉÈ÷ ³ë·Â(??ÇØÅ·)Çؼ /etc/shadow ÆÄÀÏÀ» ¾òÀºµé.. ¾Æ¹«¼Ò¿ëÀÌ ¾ø½À´Ï´Ù.
¿Ö³Ä? ½ÇÁ¦·Î ¾ò´Â°Ç /chroot/etc/shadow À̱⿡...ÈæÈæ..
¿ª½Ã Áß¿äÇÑ µ¥ÀÌŸ´Â À̾ȿ¡ µÎÁö ¾ÊÀ»°ÍÀ̱⠶§¹®¿¡, chroot ¸¦ ±ú´Â ±â¹ýÀ̳ª,mysql µ¥ÀÌŸº£À̽º¿¡ ½Ã½ºÅÛ»óÀÇ root °èÁ¤ ºñ¹Ð¹øÈ£¸¦ ³²±âÁö ¾Ê´ÂÇÑÀº ¾Æ¹«·± È¿¿ëÀÌ ¾ø¾îÁú°ÍÀÔ´Ï´Ù.
ÀÌÁ¦ ¾î´ÀÁ¤µµ ¾ÈÀüÇÏ´Ù°í º¼¼ö ÀÖ°ÚÁÒ? ( ¼¹ö°¡ root ±ÇÇÑÀ¸·Î ÀÛµ¿Çϰųª, suid ¹ö±×°¡ ÀÖ´Â ÆÄÀÏÀÌ chroot µð·ºÅ丮 ¾È¿¡ ¾ø´Ù´Â °¡Á¤ )
ÀÌ ¹æ¹ýÀ¸·Î À¥À» °¡µÎ´Â°ÍÀ» chroot jail ±â¹ýÀ̶ó°í ºÎ¸£±âµµ ÇÕ´Ï´Ù.
¿ÏÀüÇÏÁö´Â ¾ÊÁö¸¸, Àß °ü¸®ÇÑ´Ù¸é ´ëºÎºÐÀÇ ¾î¸®¼®°í ÁغñµéµÈ ÇØÄ¿µéÀÇ Àå³À¸·Î
ºÎÅÍ´Â ¿ÏÀüÈ÷ º¸È£µÉ¼ö ÀÖÀ»°Å¶ó Àå´ãÇÕ´Ï´Ù.
ÀÌ ¹®¼ÀÇ ÇÙ½ÉÀº ÀÌ°Í¿¡ Àִ°ÍÀÌÁÒ. "½Ã½ºÅÛÁ¤º¸º¸È£"