zarulizham/add-user.sh

## add-user.sh
#!/bin/bash

# add "prisoner" in the jail you created before !!
# USAGE : ./add-user.sh <username> <password> <type>
# Type 1 : sftp jailed user ; Type 2 ssh jailed user
# A password will be auto-generated with pwgen (sudo apt install pwgen)

# Set your jail path wherever you want.
JAIL_PATH=/home/www/

USER=$1
# You can use any password generator you want, or set it manually (e.g PASS=$2)
# PASS=$(pwgen -Bsv 16 1)
PASS=$2

TYPE=$3

if [[ "x$USER" == "x" ]]; then
  echo "you have to provide a user name"
  exit;
fi

if [[ "x$PASS" == "x" ]]; then
  echo "Password is missing"
  exit;
fi

if [[ $TYPE == 1 ]]; then
  GROUP=sftpjailed;
elif [[ $TYPE == 2 ]]; then
  GROUP=sshjailed;
else
  echo "You have to select jail type"
  echo "1 : sftp jailed user | 2 : ssh jailed user"
  exit;
fi

getent passwd $USER > /dev/null
if [ $? -eq 0 ]; then
  echo "user already exists";
  exit;
fi

# All the steps below will have to be done for all users we want to chroot
# Create new user and add it to the sftp/sshjailed group
# We tell useradd the home directory is /home/$USER because, at login,
# the user will already be in the jail and this will be the right path at this moment ;)
useradd -G $GROUP -d /home/$USER -s /bin/bash -p $(openssl passwd -1 $PASS) $USER && \
echo "Password : ${PASS}"

mkdir -p $JAIL_PATH/home/$USER

# create or update minimal '/etc/passwd' file for our chrooted environment
cat /etc/passwd | grep $USER >> $JAIL_PATH/etc/passwd

## jaild.md

      
    Raw
  

              jaild.md
            
          
First adapt the APPS variable to your needs and choose which commands will be available to your jailed users.
Adapt the JAIL_PATH too.
./ssh-chroot-jail.sh
./add-user.sh prisoner abcd1234 2
tada !


## l2chroot
#!/bin/bash
# Use this script to copy shared (libs) files to Apache/Lighttpd chrooted
# jail server.
# ----------------------------------------------------------------------------
# Written by nixCraft <http://www.cyberciti.biz/tips/>
# (c) 2006 nixCraft under GNU GPL v2.0+
# + Added ld-linux support
# + Added error checking support
# ------------------------------------------------------------------------------
# See url for usage:
# http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
# -------------------------------------------------------------------------------
# Set CHROOT directory name
BASE="/home/www"

if [ $# -eq 0 ]; then
  echo "Syntax : $0 /path/to/executable"
  echo "Example: $0 /usr/bin/php5-cgi"
  exit 1
fi

[ ! -d $BASE ] && mkdir -p $BASE || :

# iggy ld-linux* file as it is not shared one
FILES="$(ldd $1 | awk '{ print $3 }' |egrep -v ^'\(')"

echo "Copying shared files/libs to $BASE..."
for i in $FILES
do
  d="$(dirname $i)"
  [ ! -d $BASE$d ] && mkdir -p $BASE$d || :
  /bin/cp $i $BASE$d
done

# copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir
# get ld-linux full file location
sldl="$(ldd $1 | grep 'ld-linux' | awk '{ print $1}')"
# now get sub-dir
sldlsubdir="$(dirname $sldl)"

if [ ! -f $BASE$sldl ];
then
  echo "Copying $sldl $BASE$sldlsubdir..."
  /bin/cp $sldl $BASE$sldlsubdir
else
  :
fi

## ssh-chroot-jail.sh
#!/bin/bash
# Chroot Jail for SSH & SFTP Access
# Tested on Debian GNU/Linux 8 (jessie)
# But should work for Ubuntu 14.04 please check here : https://gist.github.com/floudet/17c44b5c4d3ea916b39d7a132ec0575a

# Reference : http://allanfeid.com/content/creating-chroot-jail-ssh-access
#
# Had to add/change several things to make it work, including:
# - create lib64 folder
# - copy whoami dependencies that ldd doesn't show to fix 'I have no name!'
#   in the customized prompt + create passwd file
#
# EDIT 11/04/17 by @askz :
# - Check if the current copied binary have library dependencies
# - Add some variables to make the jail more flexible and customizable
# - Separate prisoner creation in another script
# - Auto add config for sshjailed group in sshd_config
#
# /!\ All the commands below are typed as root

if [[ $1 == "debug" ]]; then
  echo "Entering debugging mode (set -x)"
  set -x
fi

APPS="bash cat cp touch grep ls mkdir ping ps rm sed tar env find git htop nano php rsync scp	sftp top unzip vi whoami zip"

JAIL_PATH=/home/www

# Setup the jail directories
mkdir $JAIL_PATH
mkdir -p $JAIL_PATH/{dev,etc,lib,lib64,usr/bin,bin,usr/share}

# Create null device node
mknod -m 666 $JAIL_PATH/dev/null c 1 3

# Copy minimum files
cp /etc/ld.so.{cache,conf} $JAIL_PATH/etc/
cp /etc/nsswitch.conf $JAIL_PATH/etc/
cp /etc/hosts $JAIL_PATH/etc/

# here we just want 'ls' and 'bash' in our chrooted environment
for ii in $APPS; do which $ii && cp $(which $ii) $JAIL_PATH$(which $ii); done

# FHS requires that /bin/sh exists
pushd $JAIL_PATH/bin/
ln -s bash sh
popd

# copy library dependencies for the binaries we just copied
# to find out what we need, 'ldd' can be used
# ex: ldd $(which bash)
#	linux-vdso.so.1 =>  (0x00007ffd4c735000)
#	libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fe0cce9c000)
#	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe0ccc98000)
#	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe0cc8d3000)
#	/lib64/ld-linux-x86-64.so.2 (0x00007fe0cd0c5000)

# to avoid manual copy, the l2chroot script can be used:
# wget -O /usr/local/sbin/l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
cp ./l2chroot /usr/local/sbin/
chmod 744 /usr/local/sbin/l2chroot

# Edit l2chroot script and change the BASE="/webroot" variable to BASE="$JAIL_PATH"
sed -i "s@/webroot@${JAIL_PATH}@" /usr/local/sbin/l2chroot

# copy library dependencies (with l2chroot)
for ii in $APPS; do which $ii && l2chroot $(which $ii); done


# Additional dependencies for displaying the name of our user in its prompt
cp /lib/x86_64-linux-gnu/libnsl.so.1 $JAIL_PATH/lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libnss_* $JAIL_PATH/lib/x86_64-linux-gnu/


# Configure sshd to chroot the users
# Add the followind lines in '/etc/ssh/sshd_config'
sed -i 's/Subsystem sftp \/usr\/lib\/openssh\/sftp-server/Subsystem sftp internal-sftp/g' /etc/ssh/sshd_config
cat <<- EOF >> /etc/ssh/sshd_config
Match group sshjailed
  ChrootDirectory ${JAIL_PATH}/
  X11Forwarding no
  AllowTcpForwarding no

Match group sftpjailed
  ChrootDirectory ${JAIL_PATH}/home/%u
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
EOF

# Don't forget to restart ssh
service ssh restart

# Setup group for SSH & SFTP jailed users
groupadd sshjailed
groupadd sftpjailed

# copy terminfo so that some apps can working
cp -r /lib/terminfo $JAIL_PATH/lib/terminfo
	#!/bin/bash

	# add "prisoner" in the jail you created before !!
	# USAGE : ./add-user.sh <username> <password> <type>
	# Type 1 : sftp jailed user ; Type 2 ssh jailed user
	# A password will be auto-generated with pwgen (sudo apt install pwgen)

	# Set your jail path wherever you want.
	JAIL_PATH=/home/www/

	USER=$1
	# You can use any password generator you want, or set it manually (e.g PASS=$2)
	# PASS=$(pwgen -Bsv 16 1)
	PASS=$2

	TYPE=$3

	if [[ "x$USER" == "x" ]]; then
	echo "you have to provide a user name"
	exit;
	fi

	if [[ "x$PASS" == "x" ]]; then
	echo "Password is missing"
	exit;
	fi

	if [[ $TYPE == 1 ]]; then
	GROUP=sftpjailed;
	elif [[ $TYPE == 2 ]]; then
	GROUP=sshjailed;
	else
	echo "You have to select jail type"
	echo "1 : sftp jailed user \| 2 : ssh jailed user"
	exit;
	fi

	getent passwd $USER > /dev/null
	if [ $? -eq 0 ]; then
	echo "user already exists";
	exit;
	fi

	# All the steps below will have to be done for all users we want to chroot
	# Create new user and add it to the sftp/sshjailed group
	# We tell useradd the home directory is /home/$USER because, at login,
	# the user will already be in the jail and this will be the right path at this moment ;)
	useradd -G $GROUP -d /home/$USER -s /bin/bash -p $(openssl passwd -1 $PASS) $USER && \
	echo "Password : ${PASS}"

	mkdir -p $JAIL_PATH/home/$USER

	# create or update minimal '/etc/passwd' file for our chrooted environment
	cat /etc/passwd \| grep $USER >> $JAIL_PATH/etc/passwd
	#!/bin/bash
	# Use this script to copy shared (libs) files to Apache/Lighttpd chrooted
	# jail server.
	# ----------------------------------------------------------------------------
	# Written by nixCraft <http://www.cyberciti.biz/tips/>
	# (c) 2006 nixCraft under GNU GPL v2.0+
	# + Added ld-linux support
	# + Added error checking support
	# ------------------------------------------------------------------------------
	# See url for usage:
	# http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html
	# -------------------------------------------------------------------------------
	# Set CHROOT directory name
	BASE="/home/www"

	if [ $# -eq 0 ]; then
	echo "Syntax : $0 /path/to/executable"
	echo "Example: $0 /usr/bin/php5-cgi"
	exit 1
	fi

	[ ! -d $BASE ] && mkdir -p $BASE \|\| :

	# iggy ld-linux* file as it is not shared one
	FILES="$(ldd $1 \| awk '{ print $3 }' \|egrep -v ^'\(')"

	echo "Copying shared files/libs to $BASE..."
	for i in $FILES
	do
	d="$(dirname $i)"
	[ ! -d $BASE$d ] && mkdir -p $BASE$d \|\| :
	/bin/cp $i $BASE$d
	done

	# copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir
	# get ld-linux full file location
	sldl="$(ldd $1 \| grep 'ld-linux' \| awk '{ print $1}')"
	# now get sub-dir
	sldlsubdir="$(dirname $sldl)"

	if [ ! -f $BASE$sldl ];
	then
	echo "Copying $sldl $BASE$sldlsubdir..."
	/bin/cp $sldl $BASE$sldlsubdir
	else
	:
	fi
	#!/bin/bash
	# Chroot Jail for SSH & SFTP Access
	# Tested on Debian GNU/Linux 8 (jessie)
	# But should work for Ubuntu 14.04 please check here : https://gist.github.com/floudet/17c44b5c4d3ea916b39d7a132ec0575a

	# Reference : http://allanfeid.com/content/creating-chroot-jail-ssh-access
	#
	# Had to add/change several things to make it work, including:
	# - create lib64 folder
	# - copy whoami dependencies that ldd doesn't show to fix 'I have no name!'
	# in the customized prompt + create passwd file
	#
	# EDIT 11/04/17 by @askz :
	# - Check if the current copied binary have library dependencies
	# - Add some variables to make the jail more flexible and customizable
	# - Separate prisoner creation in another script
	# - Auto add config for sshjailed group in sshd_config
	#
	# /!\ All the commands below are typed as root

	if [[ $1 == "debug" ]]; then
	echo "Entering debugging mode (set -x)"
	set -x
	fi

	APPS="bash cat cp touch grep ls mkdir ping ps rm sed tar env find git htop nano php rsync scp sftp top unzip vi whoami zip"

	JAIL_PATH=/home/www

	# Setup the jail directories
	mkdir $JAIL_PATH
	mkdir -p $JAIL_PATH/{dev,etc,lib,lib64,usr/bin,bin,usr/share}

	# Create null device node
	mknod -m 666 $JAIL_PATH/dev/null c 1 3

	# Copy minimum files
	cp /etc/ld.so.{cache,conf} $JAIL_PATH/etc/
	cp /etc/nsswitch.conf $JAIL_PATH/etc/
	cp /etc/hosts $JAIL_PATH/etc/

	# here we just want 'ls' and 'bash' in our chrooted environment
	for ii in $APPS; do which $ii && cp $(which $ii) $JAIL_PATH$(which $ii); done

	# FHS requires that /bin/sh exists
	pushd $JAIL_PATH/bin/
	ln -s bash sh
	popd

	# copy library dependencies for the binaries we just copied
	# to find out what we need, 'ldd' can be used
	# ex: ldd $(which bash)
	# linux-vdso.so.1 => (0x00007ffd4c735000)
	# libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fe0cce9c000)
	# libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe0ccc98000)
	# libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe0cc8d3000)
	# /lib64/ld-linux-x86-64.so.2 (0x00007fe0cd0c5000)

	# to avoid manual copy, the l2chroot script can be used:
	# wget -O /usr/local/sbin/l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
	cp ./l2chroot /usr/local/sbin/
	chmod 744 /usr/local/sbin/l2chroot

	# Edit l2chroot script and change the BASE="/webroot" variable to BASE="$JAIL_PATH"
	sed -i "s@/webroot@${JAIL_PATH}@" /usr/local/sbin/l2chroot

	# copy library dependencies (with l2chroot)
	for ii in $APPS; do which $ii && l2chroot $(which $ii); done


	# Additional dependencies for displaying the name of our user in its prompt
	cp /lib/x86_64-linux-gnu/libnsl.so.1 $JAIL_PATH/lib/x86_64-linux-gnu/
	cp /lib/x86_64-linux-gnu/libnss_* $JAIL_PATH/lib/x86_64-linux-gnu/


	# Configure sshd to chroot the users
	# Add the followind lines in '/etc/ssh/sshd_config'
	sed -i 's/Subsystem sftp \/usr\/lib\/openssh\/sftp-server/Subsystem sftp internal-sftp/g' /etc/ssh/sshd_config
	cat <<- EOF >> /etc/ssh/sshd_config
	Match group sshjailed
	ChrootDirectory ${JAIL_PATH}/
	X11Forwarding no
	AllowTcpForwarding no

	Match group sftpjailed
	ChrootDirectory ${JAIL_PATH}/home/%u
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp
	EOF

	# Don't forget to restart ssh
	service ssh restart

	# Setup group for SSH & SFTP jailed users
	groupadd sshjailed
	groupadd sftpjailed

	# copy terminfo so that some apps can working
	cp -r /lib/terminfo $JAIL_PATH/lib/terminfo