theonlydoo/chrootgen.sh

## chrootgen.sh
#!/bin/bash
#
# exit 0 : OK
# exit 1 : KO
# TODO  : intégrer le script en mode read avec p-e une interface curl
#       : proposer du password random
#	: proposer un mail d'avertissement
#	: mode debug
# author doo@dooby.fr
# Fork of : http://root-lab.fr/2012/01/25/creer-chroot-ssh-limite-simplement/
#
####################################################################################################
USER=$1
PASSWD=$2
TMPFILE1=./temp1
TMPFILE2=./temp2
userdir="/home/$USER"
sshfile="/etc/ssh/sshd_config"
if [ $(echo $*|wc -w) -ne 2 ]; then
        echo "Usage :"
        echo "./chrootgen.sh login password"
        exit 1
fi
mkdir -p $userdir
cd $userdir
mkdir -p {bin,dev,lib,lib64}
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}
SSH=" /usr/bin/ssh"
# TODO : Ajouter un paramètre pour le SSH
APPS="/bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /usr/bin/id /usr/bin/rsync /usr/bin/scp /usr/bin/wget /usr/bin/vim /usr/bin/vi /bin/cat /bin/less /usr/bin/tail /usr/bin/clear /bin/chmod"
useradd $USER -s /bin/bash -d / -p $PASSWD
for app in $APPS;  do
    if [ -x $app ]; then
        app_path=$(dirname $app)
        if ! [ -d .$app_path ]; then
            mkdir -p .$app_path
        fi
        cp -p $app .$app
        ldd $app >> ${TMPFILE1}
    fi
done

for libs in $(cat ${TMPFILE1}); do
    frst_char="`echo $libs | cut -c1`"
    if [ "$frst_char" = "/" ]; then
        echo "$libs" >> ${TMPFILE2}
    fi
done

for lib in $(cat ${TMPFILE2}); do
        mkdir -p .$(dirname $lib) > /dev/null 2>&1
        cp $lib .$lib
done
cp -r /lib/terminfo ./lib/
rm -f $TMPFILE1
rm -f $TMPFILE2
echo "Match User $USER" >> $sshfile
echo "ChrootDirectory $userdir" >> $sshfile
echo "AllowTCPForwarding no" >> $sshfile
echo "X11Forwarding no" >> $sshfile
#if [ $(grep -ci "AllowUsers" $sshfile) -eq 1 ]; then
#    lineorig=$(grep -i ^AllowUsers $sshfile)
#    linenew=$(echo -e $lineorig $USER)
#    #sed -i -e s/"$lineorig"/"$linenew"/ $sshfile
#    sed -e s/"$lineorig"/"$linenew"/ $sshfile
#fi
# TODO : Faire un insert si on détecte un allowusers dans le fichier de conf SSH !
if [ -f /etc/init.d/ssh ]; then
    /etc/init.d/ssh restart
else
    service ssh restart
    if [ $? -ne 0 ]; then
        service sshd restart
        if [ $? -ne 0 ]; then
            echo "could not restart ssh service :-("
            exit 1
        fi
    fi
fi
exit 0
	#!/bin/bash
	#
	# exit 0 : OK
	# exit 1 : KO
	# TODO : intégrer le script en mode read avec p-e une interface curl
	# : proposer du password random
	# : proposer un mail d'avertissement
	# : mode debug
	# author doo@dooby.fr
	# Fork of : http://root-lab.fr/2012/01/25/creer-chroot-ssh-limite-simplement/
	#
	####################################################################################################
	USER=$1
	PASSWD=$2
	TMPFILE1=./temp1
	TMPFILE2=./temp2
	userdir="/home/$USER"
	sshfile="/etc/ssh/sshd_config"
	if [ $(echo $*\|wc -w) -ne 2 ]; then
	echo "Usage :"
	echo "./chrootgen.sh login password"
	exit 1
	fi
	mkdir -p $userdir
	cd $userdir
	mkdir -p {bin,dev,lib,lib64}
	mknod dev/null c 1 3
	mknod dev/zero c 1 5
	chmod 0666 dev/{null,zero}
	SSH=" /usr/bin/ssh"
	# TODO : Ajouter un paramètre pour le SSH
	APPS="/bin/bash /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /usr/bin/id /usr/bin/rsync /usr/bin/scp /usr/bin/wget /usr/bin/vim /usr/bin/vi /bin/cat /bin/less /usr/bin/tail /usr/bin/clear /bin/chmod"
	useradd $USER -s /bin/bash -d / -p $PASSWD
	for app in $APPS; do
	if [ -x $app ]; then
	app_path=$(dirname $app)
	if ! [ -d .$app_path ]; then
	mkdir -p .$app_path
	fi
	cp -p $app .$app
	ldd $app >> ${TMPFILE1}
	fi
	done

	for libs in $(cat ${TMPFILE1}); do
	frst_char="`echo $libs \| cut -c1`"
	if [ "$frst_char" = "/" ]; then
	echo "$libs" >> ${TMPFILE2}
	fi
	done

	for lib in $(cat ${TMPFILE2}); do
	mkdir -p .$(dirname $lib) > /dev/null 2>&1
	cp $lib .$lib
	done
	cp -r /lib/terminfo ./lib/
	rm -f $TMPFILE1
	rm -f $TMPFILE2
	echo "Match User $USER" >> $sshfile
	echo "ChrootDirectory $userdir" >> $sshfile
	echo "AllowTCPForwarding no" >> $sshfile
	echo "X11Forwarding no" >> $sshfile
	#if [ $(grep -ci "AllowUsers" $sshfile) -eq 1 ]; then
	# lineorig=$(grep -i ^AllowUsers $sshfile)
	# linenew=$(echo -e $lineorig $USER)
	# #sed -i -e s/"$lineorig"/"$linenew"/ $sshfile
	# sed -e s/"$lineorig"/"$linenew"/ $sshfile
	#fi
	# TODO : Faire un insert si on détecte un allowusers dans le fichier de conf SSH !
	if [ -f /etc/init.d/ssh ]; then
	/etc/init.d/ssh restart
	else
	service ssh restart
	if [ $? -ne 0 ]; then
	service sshd restart
	if [ $? -ne 0 ]; then
	echo "could not restart ssh service :-("
	exit 1
	fi
	fi
	fi
	exit 0