加固你的TOMCAT，讓TOMCAT在chroot的環境下運行

衆所周知，chroot下linux系統的一個安全機制，chroot是linux內核的一個系統調用，經過它，能夠設定應用軟件的運行環境，讓應用軟件運行在一個特定目錄下，這樣，即便應用軟件有安全漏洞，被入侵，入侵者也被限制在一個特定的目錄，從面限制了入侵者的破壞範圍。加固了系統的安全性。本文以tomcat爲例，詳細記錄了tomcat以chroot的方式運行的配置過程，也記錄配置過程當中的出錯及排錯方法。

環境及工具：系統64位的CentOS6.四、dk爲jdk-7u45-linux-x64.tar.gz、apache-tomcat-6.0.41.tar.gz

1、配置java chroot環境

一、先配置jdk，此次配置使用的是 jdk-7u45-linux-x64.tar.gz

tar zxvf jdk-7u45-linux-x64.tar.gz

mkdir /usr/java

cp -a jdk1.7.0_45 /usr/java/

[root@2core local]# /usr/java/jdk1.7.0_45/bin/java -version

java version "1.7.0_45"

Java(TM) SE Runtime Environment (build 1.7.0_45-b18)

Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

jdk能夠正常啓動

二、配置jdk chroot

我選算了 /chroot爲 tomcat的根目錄

#D=/chroot

#mkdir -p $D

#cd $D

mkdir -p lib lib64 etc tmp dev usr

chmod 755 etc dev usr

chmod 1777 tmp

cp -a /etc/hosts etc/hosts

爲了chroot的環境更接近實際的系統根目錄，還須要一個特殊的目錄，若是無這些目錄，未來可能會報錯

mkdir -p /chroot/dev/pts

cd /dev

./MAKEDEV -d /chroot/dev null radom urandom zero loop* log console

cp MAKEDEV /chroot/dev

cp -a /dev/shm /chroot/dev

[root@2core local]# ldd /usr/java/jdk1.7.0_45/bin/java

linux-vdso.so.1 => (0x00007fffeafd0000)

libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3a58efd000)

libjli.so => /usr/java/jdk1.7.0_45/bin/../lib/amd64/jli/libjli.so (0x00007f3a58ce5000)

libdl.so.2 => /lib64/libdl.so.2 (0x00007f3a58ae1000)

libc.so.6 => /lib64/libc.so.6 (0x00007f3a5874e000)

/lib64/ld-linux-x86-64.so.2 (0x00007f3a59123000)

把上面幾個庫文件複製到/chroot/lib64/目錄下

[root@2core local]# ls /chroot/lib64/

ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libpthread.so.0

[root@2core local]# rm -rf /chroot/usr/java/

[root@2core local]# mkdir /chroot/usr/java

[root@2core local]# cp -a /usr/java/jdk1.7.0_45 /chroot/usr/java/

[root@2core local]# ls /chroot/usr/java/

jdk1.7.0_45

以chroot方式運行java,

[root@2core local]# chroot /chroot /usr/java/jdk1.7.0_45/bin/java

/usr/java/jdk1.7.0_45/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

有報錯，根據錯誤能夠是缺乏相應的庫文件，只要把這些文件複製過來就OK了

[root@2core local]# find / -name libjli.so

/usr/java/jdk1.7.0_45/jre/lib/amd64/jli/libjli.so

/usr/java/jdk1.7.0_45/lib/amd64/jli/libjli.so

/usr/local/jdk1.7.0_45/jre/lib/amd64/jli/libjli.so

/usr/local/jdk1.7.0_45/lib/amd64/jli/libjli.so

/chroot/usr/java/jdk1.7.0_45/jre/lib/amd64/jli/libjli.so

/chroot/usr/java/jdk1.7.0_45/lib/amd64/jli/libjli.so

[root@2core local]# cp /chroot/usr/java/jdk1.7.0_45/lib/amd64/jli/libjli.so /chroot/lib64/

[root@2core local]# chroot /chroot /usr/java/jdk1.7.0_45/bin/java -version

Error: dl failure on line 863

Error: failed /usr/java/jdk1.7.0_45/jre/lib/amd64/server/libjvm.so, because libm.so.6: cannot open shared object file: No such file or directory

[root@2core local]#

[root@2core local]#

[root@2core local]# find / -name libm.so.6

/lib64/libm.so.6

[root@2core local]# cp /lib64/libm.so.6 /chroot/lib64/

[root@2core local]# chroot /chroot /usr/java/jdk1.7.0_45/bin/java -version

Java HotSpot(TM) 64-Bit Server VM warning: Can't detect initial thread stack location - find_vma failed

java version "1.7.0_45"

Java(TM) SE Runtime Environment (build 1.7.0_45-b18)

Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

這樣，能夠正常啓動java了，但仍是有一個警告信息，這是由於jave檢測不到相關進程引發的，而linux系統的進程信息是存放在/proc這個目錄的，因些，咱們還要在/chroot下掛載這個特殊的目錄，方法以下

[root@2core local]# mkdir /chroot/proc

[root@2core local]# mount -t proc proc /chroot/proc

[root@2core local]# chroot /chroot /usr/java/jdk1.7.0_45/bin/java -version

java version "1.7.0_45"

Java(TM) SE Runtime Environment (build 1.7.0_45-b18)

Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)

至此，jdk纔算完成配置，這時，讓咱們查看一下啓動JDK須要用到下面幾個庫，須要注意的是，庫文件的位置及名字有可能在不一樣的版本系統中有差異，但通常均可以根據相關的報錯信息，找到相應庫文件，並複製過來就OK了

[root@2core local]# ls /chroot/lib64/

ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libjli.so libm.so.6 libpthread.so.0

2、如下開始配置tomcat了，把tomcat將在/chroot/usr/local這個目錄下運行

[root@2core local]# mkdir /chroot/usr/local

[root@2core local]# mv apache-tomcat-6.0.41-src /chroot/usr/local/tomcat

[root@2core local]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

chroot: failed to run command `/usr/local/tomcat/bin/catalina.sh': Permission denied

[root@2core local]# ls /chroot/usr/local/tomcat/bin/catalina.sh -al

-rw-r--r--. 1 root root 17717 5月 19 18:51 /chroot/usr/local/tomcat/bin/catalina.sh

[root@2core local]# chmod 755 /chroot/usr/local

[root@2core local]# chmod 755 /chroot/usr/local/tomcat/bin/*.sh

[root@2core local]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

chroot: failed to run command `/usr/local/tomcat/bin/catalina.sh': No such file or directory

再次[root@2core local]# strace chroot /chroot /usr/local/tomcat/bin/catalina.sh start

留意末部信息

execve("/usr/local/tomcat/bin/catalina.sh", ["/usr/local/tomcat/bin/catalina.s"..., "start"], [/* 25 vars */]) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/locale.alias", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh_CN.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh_CN.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh_CN/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

write(2, "chroot: ", 8chroot: ) = 8

write(2, "failed to run command `/usr/loca"..., 57failed to run command `/usr/local/tomcat/bin/catalina.sh') = 57

open("/usr/share/locale/zh_CN.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh_CN.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh_CN/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

open("/usr/share/locale/zh/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)

write(2, ": No such file or directory", 27: No such file or directory) = 27

write(2, "\n", 1

) = 1

close(1) = 0

close(2) = 0

exit_group(127) = ?

由於啓動tomcat的是一個shell的腳本，所以，在chroot裏還須要一個運行bash shell的環境

[root@2core local]# cd /chroot/

[root@2core chroot]# mkdir -p bin

[root@2core chroot]# cp /bin/bash bin/

[root@2core chroot]# ln -s /bin/bash bin/sh

[root@2core chroot]# cd lib64

[root@2core lib64]# pwd

/chroot/lib64

[root@2core lib64]# ldd /bin/bash

linux-vdso.so.1 => (0x00007fff2536e000)

libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f0c47bb5000)

libdl.so.2 => /lib64/libdl.so.2 (0x00007f0c479b1000)

libc.so.6 => /lib64/libc.so.6 (0x00007f0c4761d000)

/lib64/ld-linux-x86-64.so.2 (0x00007f0c47ddf000)

[root@2core lib64]# cp /lib64/libtinfo.so.5 /chroot/lib64/

[root@2core lib64]# cp /lib64/libdl.so.2 /chroot/lib64/

cp：是否覆蓋"/chroot/lib64/libdl.so.2"？ n

[root@2core lib64]# cp /lib64/libc.so.6 /chroot/lib64/

cp：是否覆蓋"/chroot/lib64/libc.so.6"？ n

[root@2core lib64]# cp /lib64/ld-linux-x86-64.so.2 /chroot/lib64/

cp：是否覆蓋"/chroot/lib64/ld-linux-x86-64.so.2"？ n

測試 bash是否能夠在chroot下正常運行,因爲這前已經複製部分的庫，因此會提示是否覆蓋

[root@2core lib64]# chroot /chroot /bin/bash

bash-4.1# pwd

/

注意，這時的bash shell提示符已經改變了，這說明已經能夠在chroot下正常啓動bash了

bash-4.1# ls

bash: ls: command not found

bash-4.1# exit

exit

[root@2core lib64]#

再次啓動tomcat,報錯的內容已經不同了，報錯的內容很詳細，就是有幾個命令找不到，那麼，咱們把這些命令及相應的庫複製到chroot的相應目錄便可

[root@2core lib64]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

/usr/local/tomcat/bin/catalina.sh: line 89: uname: command not found

/usr/local/tomcat/bin/catalina.sh: line 109: dirname: command not found

Cannot find //bin/setclasspath.sh

This file is needed to run this program

[root@2core lib64]#

[root@2core lib64]# cp /bin/uname /chroot/bin/

[root@2core lib64]# mkdir - /chroot/usr/bin

[root@2core lib64]# cp /usr/bin/dirname /chroot/usr/bin/

[root@2core lib64]# ldd /bin/uname

linux-vdso.so.1 => (0x00007fff4b5ff000)

libc.so.6 => /lib64/libc.so.6 (0x00007fcfde5b8000)

/lib64/ld-linux-x86-64.so.2 (0x00007fcfde954000)

[root@2core lib64]# ldd /usr/bin/dirname

linux-vdso.so.1 => (0x00007fffb93ea000)

libc.so.6 => /lib64/libc.so.6 (0x00007f8ad0266000)

/lib64/ld-linux-x86-64.so.2 (0x00007f8ad0602000)

[root@2core lib64]# ls /chroot/lib64

- ld-linux-x86-64.so.2 libc.so.6 libdl.so.2 libjli.so libm.so.6 libpthread.so.0 libtinfo.so.5

相關的庫以前已經複製了，因此，這裏就不須要再複製，再次運行comcat

[root@2core lib64]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

Neither the JAVA_HOME nor the JRE_HOME environment variable is defined

At least one of these environment variable is needed to run this program

[root@2core lib64]#

此次報錯的是環境變量的問題，把變量加進去限可，咱們先看看catalina.sh這個文件，裏面調用了setclasspath.sh 而報錯的內容便在setclasspath.sh腳本里。所以，我在setclasspath.sh設置JAVA_HOME變量

[root@2core bin]# vi /chroot/usr/local/tomcat/bin/setclasspath.sh

# Make sure prerequisite environment variables are set

export JAVA_HOME=/usr/java/jdk1.7.0_45

export JRE_HOME=/usr/java/jdk1.7.0_45/jre

if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then

  if $darwin; then

    # Bugzilla 54390

    if [ -x '/usr/libexec/java_home' ] ; then

      export JAVA_HOME=`/usr/libexec/java_home`

    # Bugzilla 37284 (reviewed).

    elif [ -d "/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home" ]; then

      export JAVA_HOME="/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home"

    fi

  else

    JAVA_PATH=`which java 2>/dev/null`

    if [ "x$JAVA_PATH" != "x" ]; then

      JAVA_PATH=`dirname $JAVA_PATH 2>/dev/null`

      JRE_HOME=`dirname $JAVA_PATH 2>/dev/null`

    fi

    if [ "x$JRE_HOME" = "x" ]; then

      # XXX: Should we try other locations?

      if [ -x /usr/bin/java ]; then

        JRE_HOME=/usr

      fi

    fi

  fi

  if [ -z "$JAVA_HOME" -a -z "$JRE_HOME" ]; then

    echo "Neither the JAVA_HOME nor the JRE_HOME environment variable is defined"

    echo "At least one of these environment variable is needed to run this program"

    exit 1

  fi

fi

"setclasspath.sh" 119L, 4252C written

再次運行，仍是出錯，但已經接近成功了，

[root@2core bin]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

/usr/local/tomcat/bin/catalina.sh: line 193: tty: command not found

Using CATALINA_BASE: /usr/local/tomcat

Using CATALINA_HOME: /usr/local/tomcat

Using CATALINA_TMPDIR: /usr/local/tomcat/temp

Using JRE_HOME: /usr/java/jdk1.7.0_45/jre

Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar

/usr/local/tomcat/bin/catalina.sh: line 354: touch: command not found

/usr/local/tomcat/bin/catalina.sh: line 371: /usr/local/tomcat/logs/catalina.out: No such file or directory

報錯仍是由相關係統命令調用及文件權限的引用的，打它複製過來

[root@2core bin]# cp /bin/touch /chroot/bin/

[root@2core bin]# ldd /bin/touch

linux-vdso.so.1 => (0x00007fff9343f000)

librt.so.1 => /lib64/librt.so.1 (0x00007fbd55ccc000)

libc.so.6 => /lib64/libc.so.6 (0x00007fbd55939000)

libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fbd5571b000)

/lib64/ld-linux-x86-64.so.2 (0x00007fbd55edd000)

[root@2core bin]# cp /lib64/librt.so.1 /chroot/lib64/

[root@2core bin]# mkdir /chroot/usr/local/tomcat/logs

[root@2core bin]# chmod 666 /chroot/usr/local/tomcat/logs

[root@2core bin]#

[root@2core bin]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

/usr/local/tomcat/bin/catalina.sh: line 193: tty: command not found

Using CATALINA_BASE: /usr/local/tomcat

Using CATALINA_HOME: /usr/local/tomcat

Using CATALINA_TMPDIR: /usr/local/tomcat/temp

Using JRE_HOME: /usr/java/jdk1.7.0_45/jre

Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar

把tty這個程序複製過來

[root@2core bin]# cp /usr/bin/tty /chroot/usr/bin/

[root@2core bin]# ldd /usr/bin/tty

linux-vdso.so.1 => (0x00007fff1f5ff000)

libc.so.6 => /lib64/libc.so.6 (0x00007f82f2cd9000)

/lib64/ld-linux-x86-64.so.2 (0x00007f82f3075000)

[root@2core bin]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

Using CATALINA_BASE: /usr/local/tomcat

Using CATALINA_HOME: /usr/local/tomcat

Using CATALINA_TMPDIR: /usr/local/tomcat/temp

Using JRE_HOME: /usr/java/jdk1.7.0_45/jre

Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar

終於無報錯了，大功形成了？怎麼回事，java 進程仍是起不來

[root@2core bin]# ps auxf|grep java

root 1449 0.0 0.0 103240 852 pts/1 S+ 11:46 0:00 \_ grep java

查看下了上tomcat的日誌

[root@2core local]# more /chroot/usr/local/tomcat/logs/catalina.out

Error: Could not find or load main class org.apache.catalina.startup.Bootstrap

[root@2core local]# ls /chroot/usr/local/tomcat/bin/bootstrap.jar

ls: 沒法訪問/chroot/usr/local/tomcat/bin/bootstrap.jar: 沒有那個文件或目錄

原來是這個包缺乏一個文件

從新從官方網站下載了一個完整的包，解壓

 #wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-6/v6.0.41/bin/apache-tomcat-6.0.41.tar.gz

[root@2core local]# cd /chroot/usr/local/

[root@2core local]# ls

tomcat

[root@2core local]# mv tomcat tomcat.bak

[root@2core local]# mv /usr/local/apache-tomcat-6.0.41 ./tomcat

並在/chroot/usr/local/tomcat/bin/setclasspath.sh加入環境變量

[root@2core bin]# vi /chroot/usr/local/tomcat/bin/setclasspath.sh

# Make sure prerequisite environment variables are set

export JAVA_HOME=/usr/java/jdk1.7.0_45

export JRE_HOME=/usr/java/jdk1.7.0_45/jre

再次運行

[root@2core local]# chroot /chroot /usr/local/tomcat/bin/catalina.sh start

Using CATALINA_BASE: /usr/local/tomcat

Using CATALINA_HOME: /usr/local/tomcat

Using CATALINA_TMPDIR: /usr/local/tomcat/temp

Using JRE_HOME: /usr/java/jdk1.7.0_45/jre

Using CLASSPATH: /usr/local/tomcat/bin/bootstrap.jar

[root@2core local]# ps auxf|grep java

root 8220 0.0 0.0 103240 852 pts/0 S+ 10:19 0:00 \_ grep java

root 8201 179 6.7 1443396 68980 pts/0 Sl 10:19 0:05 /usr/java/jdk1.7.0_45/jre/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start

終於成功了！把iptables的TCP8080端口打開，即可以經過http://ip:8080訪問了