Skip to content

Instantly share code, notes, and snippets.

@zarulizham
Forked from askz/add-user.sh
Last active July 4, 2018 03:01
Show Gist options
  • Save zarulizham/08530087b3e940c424fa167179e838a6 to your computer and use it in GitHub Desktop.
Save zarulizham/08530087b3e940c424fa167179e838a6 to your computer and use it in GitHub Desktop.
Chroot Jail for SSH/SFTP Access toolkit
#!/bin/bash
# add "prisoner" in the jail you created before !!
# USAGE : ./add-user.sh <username> <password> <type>
# Type 1 : sftp jailed user ; Type 2 ssh jailed user
# A password will be auto-generated with pwgen (sudo apt install pwgen)
# Set your jail path wherever you want.
JAIL_PATH=/home/www/
USER=$1
# You can use any password generator you want, or set it manually (e.g PASS=$2)
# PASS=$(pwgen -Bsv 16 1)
PASS=$2
TYPE=$3
if [[ "x$USER" == "x" ]]; then
echo "you have to provide a user name"
exit;
fi
if [[ "x$PASS" == "x" ]]; then
echo "Password is missing"
exit;
fi
if [[ $TYPE == 1 ]]; then
GROUP=sftpjailed;
elif [[ $TYPE == 2 ]]; then
GROUP=sshjailed;
else
echo "You have to select jail type"
echo "1 : sftp jailed user | 2 : ssh jailed user"
exit;
fi
getent passwd $USER > /dev/null
if [ $? -eq 0 ]; then
echo "user already exists";
exit;
fi
# All the steps below will have to be done for all users we want to chroot
# Create new user and add it to the sftp/sshjailed group
# We tell useradd the home directory is /home/$USER because, at login,
# the user will already be in the jail and this will be the right path at this moment ;)
useradd -G $GROUP -d /home/$USER -s /bin/bash -p $(openssl passwd -1 $PASS) $USER && \
echo "Password : ${PASS}"
mkdir -p $JAIL_PATH/home/$USER
# create or update minimal '/etc/passwd' file for our chrooted environment
cat /etc/passwd | grep $USER >> $JAIL_PATH/etc/passwd
  • First adapt the APPS variable to your needs and choose which commands will be available to your jailed users.
  • Adapt the JAIL_PATH too.
  • ./ssh-chroot-jail.sh
  • ./add-user.sh prisoner abcd1234 2
  • tada !
#!/bin/bash
# Use this script to copy shared (libs) files to Apache/Lighttpd chrooted
# jail server.
# ----------------------------------------------------------------------------
# Written by nixCraft <http://www.cyberciti.biz/tips/>
# (c) 2006 nixCraft under GNU GPL v2.0+
# + Added ld-linux support
# + Added error checking support
# ------------------------------------------------------------------------------
# See url for usage:
# http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
# -------------------------------------------------------------------------------
# Set CHROOT directory name
BASE="/home/www"
if [ $# -eq 0 ]; then
echo "Syntax : $0 /path/to/executable"
echo "Example: $0 /usr/bin/php5-cgi"
exit 1
fi
[ ! -d $BASE ] && mkdir -p $BASE || :
# iggy ld-linux* file as it is not shared one
FILES="$(ldd $1 | awk '{ print $3 }' |egrep -v ^'\(')"
echo "Copying shared files/libs to $BASE..."
for i in $FILES
do
d="$(dirname $i)"
[ ! -d $BASE$d ] && mkdir -p $BASE$d || :
/bin/cp $i $BASE$d
done
# copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir
# get ld-linux full file location
sldl="$(ldd $1 | grep 'ld-linux' | awk '{ print $1}')"
# now get sub-dir
sldlsubdir="$(dirname $sldl)"
if [ ! -f $BASE$sldl ];
then
echo "Copying $sldl $BASE$sldlsubdir..."
/bin/cp $sldl $BASE$sldlsubdir
else
:
fi
#!/bin/bash
# Chroot Jail for SSH & SFTP Access
# Tested on Debian GNU/Linux 8 (jessie)
# But should work for Ubuntu 14.04 please check here : https://gist.github.com/floudet/17c44b5c4d3ea916b39d7a132ec0575a
# Reference : http://allanfeid.com/content/creating-chroot-jail-ssh-access
#
# Had to add/change several things to make it work, including:
# - create lib64 folder
# - copy whoami dependencies that ldd doesn't show to fix 'I have no name!'
# in the customized prompt + create passwd file
#
# EDIT 11/04/17 by @askz :
# - Check if the current copied binary have library dependencies
# - Add some variables to make the jail more flexible and customizable
# - Separate prisoner creation in another script
# - Auto add config for sshjailed group in sshd_config
#
# /!\ All the commands below are typed as root
if [[ $1 == "debug" ]]; then
echo "Entering debugging mode (set -x)"
set -x
fi
APPS="bash cat cp touch grep ls mkdir ping ps rm sed tar env find git htop nano php rsync scp sftp top unzip vi whoami zip"
JAIL_PATH=/home/www
# Setup the jail directories
mkdir $JAIL_PATH
mkdir -p $JAIL_PATH/{dev,etc,lib,lib64,usr/bin,bin,usr/share}
# Create null device node
mknod -m 666 $JAIL_PATH/dev/null c 1 3
# Copy minimum files
cp /etc/ld.so.{cache,conf} $JAIL_PATH/etc/
cp /etc/nsswitch.conf $JAIL_PATH/etc/
cp /etc/hosts $JAIL_PATH/etc/
# here we just want 'ls' and 'bash' in our chrooted environment
for ii in $APPS; do which $ii && cp $(which $ii) $JAIL_PATH$(which $ii); done
# FHS requires that /bin/sh exists
pushd $JAIL_PATH/bin/
ln -s bash sh
popd
# copy library dependencies for the binaries we just copied
# to find out what we need, 'ldd' can be used
# ex: ldd $(which bash)
# linux-vdso.so.1 => (0x00007ffd4c735000)
# libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fe0cce9c000)
# libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe0ccc98000)
# libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe0cc8d3000)
# /lib64/ld-linux-x86-64.so.2 (0x00007fe0cd0c5000)
# to avoid manual copy, the l2chroot script can be used:
# wget -O /usr/local/sbin/l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
cp ./l2chroot /usr/local/sbin/
chmod 744 /usr/local/sbin/l2chroot
# Edit l2chroot script and change the BASE="/webroot" variable to BASE="$JAIL_PATH"
sed -i "s@/webroot@${JAIL_PATH}@" /usr/local/sbin/l2chroot
# copy library dependencies (with l2chroot)
for ii in $APPS; do which $ii && l2chroot $(which $ii); done
# Additional dependencies for displaying the name of our user in its prompt
cp /lib/x86_64-linux-gnu/libnsl.so.1 $JAIL_PATH/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libnss_* $JAIL_PATH/lib/x86_64-linux-gnu/
# Configure sshd to chroot the users
# Add the followind lines in '/etc/ssh/sshd_config'
sed -i 's/Subsystem sftp \/usr\/lib\/openssh\/sftp-server/Subsystem sftp internal-sftp/g' /etc/ssh/sshd_config
cat <<- EOF >> /etc/ssh/sshd_config
Match group sshjailed
ChrootDirectory ${JAIL_PATH}/
X11Forwarding no
AllowTcpForwarding no
Match group sftpjailed
ChrootDirectory ${JAIL_PATH}/home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
EOF
# Don't forget to restart ssh
service ssh restart
# Setup group for SSH & SFTP jailed users
groupadd sshjailed
groupadd sftpjailed
# copy terminfo so that some apps can working
cp -r /lib/terminfo $JAIL_PATH/lib/terminfo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment