Last active
November 29, 2023 22:13
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
!/bin/sh | |
# Create a chroot jail in '/users' and user 'testuser' | |
# Requires /tmp/l2chroot to be installed with 755 permissions | |
set -x | |
yum -y update | |
# TZ | |
ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime | |
# rssh | |
yum -y install rssh | |
# From: https://www.cyberciti.biz/tips/howto-linux-unix-rssh-chroot-jail-setup.html | |
# Create all required directories: | |
mkdir -p /users | |
mkdir -p /users/home | |
mkdir -p /users/{dev,etc,lib,usr,bin} | |
mkdir -p /users/usr/bin | |
mkdir -p /users/usr/libexec/openssh | |
# Create /users/dev/null: | |
mknod -m 666 /users/dev/null c 1 3 | |
# Copy required /etc/ configuration files, as described above to your jail directory /users/etc: | |
cd /users/etc | |
cp /etc/ld.so.cache . | |
# cp -avr /etc/ld.so.cache.d/ . | |
cp /etc/ld.so.conf . | |
cp /etc/nsswitch.conf . | |
cp /etc/passwd . | |
cp /etc/group . | |
cp /etc/hosts . | |
cp /etc/resolv.conf . | |
# NOTE: Open /users/etc/group and /users/etc/passwd file and remove root and all other accounts. | |
# Copy required binary files to your jail directory /users/bin and other locations: | |
cd /users/usr/bin | |
cp /usr/bin/scp . | |
cp /usr/bin/rssh . | |
cp /usr/bin/sftp . | |
cd /users/usr/libexec/openssh/ | |
cp /usr/libexec/openssh/sftp-server . | |
# cp /usr/lib/openssh/sftp-server . | |
cd /users/usr/libexec/ | |
cp /usr/libexec/rssh_chroot_helper . | |
chgrp rsshusers /usr/libexec/rssh_chroot_helper | |
chmod 4750 /usr/libexec/rssh_chroot_helper | |
# cp /usr/lib/rssh/rssh_chroot_helper | |
cd /users/bin/ | |
cp /bin/sh . | |
cp /bin/bash . | |
# Now copy all shared library files | |
/tmp/l2chroot /usr/bin/scp | |
/tmp/l2chroot /usr/bin/rssh | |
/tmp/l2chroot /usr/bin/sftp | |
/tmp/l2chroot /usr/libexec/openssh/sftp-server | |
# /tmp/l2chroot /usr/lib/openssh/sftp-server | |
/tmp/l2chroot /usr/libexec/rssh_chroot_helper | |
# /tmp/l2chroot /usr/lib/rssh/rssh_chroot_helper | |
/tmp/l2chroot /bin/sh | |
/tmp/l2chroot /bin/bash | |
# Add the NSS modules | |
cd /users/lib64 | |
cp /lib64/*nss* . | |
# rsyslog | |
# From: http://kb.monitorware.com/log-sftp-chroot-with-rssh-t10497.html | |
# NOTE: Check that $ModLoad imuxsock is uncommented at top of file | |
echo '$AddUnixListenSocket /users/dev/log' >> /etc/rsyslog.conf | |
echo 'local6.* /var/log/sftp' >> /etc/rsyslog.conf | |
service rsyslog restart | |
# sshd conf | |
cp /etc/ssh/sshd_config /tmp/sshd_config.saved | |
cat /etc/ssh/sshd_config | sed '/PasswordAuthentication/s/no/yes/' > /tmp/sshd_config.tmp | |
mv /tmp/sshd_config.tmp /etc/ssh/sshd_config | |
cat /etc/ssh/sshd_config | sed '/Subsystem sftp/s/$/ -f LOCAL6 -l INFO/' > /tmp/sshd_config.tmp | |
mv /tmp/sshd_config.tmp /etc/ssh/sshd_config | |
chmod 644 /etc/ssh/sshd_config | |
# rssh conf | |
cat /etc/rssh.conf | sed '/#allowscp/s/#//' | sed '/#allowsftp/s/#//' > /tmp/rssh.conf.tmp | |
mv /tmp/rssh.conf.tmp /etc/rssh.conf | |
echo 'user = testuser:027:00011:/users' >> /etc/rssh.conf | |
chmod 644 /etc/rssh.conf | |
service sshd restart | |
# Add chroot user | |
useradd -m -d /users/home/testuser -s /usr/bin/rssh testuser | |
# NOTE: set password for testuser | |
/usr/sbin/usermod -a -G rsshusers testuser | |
grep 'testuser' /etc/group >> /users/etc/group | |
echo 'testuser:x:501:501::/home/testuser:/bin/bash' >> /users/etc/passwd | |
# end | |
touch /tmp/build-chroot-completed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment