Skip to content

Instantly share code, notes, and snippets.

@alecs

alecs/add_jaileduser.sh

Created October 25, 2022 11:59
Show Gist options
  • Save alecs/f0d4c1d517660c4868885e695127d29d to your computer and use it in GitHub Desktop.
Save alecs/f0d4c1d517660c4868885e695127d29d to your computer and use it in GitHub Desktop.
Download ZIP
jailkit base setup
Raw
add_jaileduser.sh
#!/bin/bash
#
# This script adds a jailed user and prompts admin to add the pubkey for that user
#
# Alex Negulescu <alecs@sysops.ro>
#
#
[ $# -ge "4" ] || { echo "Usage : $0 -j JAILROOT -u USER1[,USER2,USERx]" [-k IF PUBKEY IS ASKED FOR]; exit 1; }
OPTIONS=$(getopt -o j:u:k --long jaildir:,users:,key -n "$0" -- "$@")
eval set -- "$OPTIONS"
while true ; do
case "$1" in
-j|--jaildir) JAILDIR=$2 ; shift 2;;
-u|--users) USERS=$2 ; shift 2;;
-k|--key) KEY=YES ; shift;;
--) shift ; break ;;
esac
done
JAIL_GID=`grep jez /etc/group | awk -F":" '{ print $3}'`
LAST_JAIL_UID=`grep jez /etc/passwd | awk -F":" '{ print $3}' | sort | uniq | tail -n1`
echo -e "Jaildir:\t ${JAILDIR}"
echo -e "Jail GID:\t ${JAIL_GID}"
echo -e "Last Jail UID:\t ${LAST_JAIL_UID}"
echo -e "\n======= Starting process ... =======\n\n"
for u in $(echo ${USERS} | tr "," " "); do
LAST_JAIL_UID=$[$LAST_JAIL_UID+1]
echo -e "Adding users:\t $u"
echo -e "New UID:\t ${LAST_JAIL_UID}"
echo "run: useradd -m -d /home/${u} -s /bin/bash -g ${JAIL_GID} -u ${LAST_JAIL_UID} ${u} "
useradd -m -d /home/${u} -s /bin/bash -g ${JAIL_GID} -u ${LAST_JAIL_UID} ${u}
echo "run: jk_jailuser -s /bin/bash -m -j ${JAILDIR} ${u}"
jk_jailuser -s /bin/bash -m -j ${JAILDIR} ${u}
if [[ -d ${JAILDIR}/home/${u} ]]; then
PUBKEY=
pushd ${JAILDIR}/home/${u}
if [[ ! -d .ssh ]]; then
mkdir .ssh;
touch .ssh/authorized_keys;
chown -R ${u} .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
echo "CREATED ${u} SSH HOME FOLDER AND AUTHORIZED KEYS FILE"
read -ep "Do you want to add pubkey for ${u} ? " -t 300 ANS
if [[ "$ANS" == "Y" || "$ANS" == "y" ]]; then
read -ep "Paste the pubkey here:" PUBKEY
if [[ "$PUBKEY" != "" ]]; then
echo "PUBKEY IS: ${PUBKEY}"
echo ${PUBKEY} >> .ssh/authorized_keys
fi
fi
fi
popd
fi
done
Raw
howto.txt
cat > /etc/jailkit/jk_chrootsh.ini << EOF
#
# alex@sysops.ro $(date +%F\ %T)
#
#env = DISPLAY, XAUTHORITY
#
[DEFAULT]
env = TERM
EOF
cat > /etc/jailkit/jk_socketd.ini << EOF
#
# alex@sysops.ro $(date +%F\ %T)
#
#env = DISPLAY, XAUTHORITY
#
[/var/www/dev/log]
base=1024
peak=10240
interval=1
EOF
add
/dev/ptmx, /dev/pts
Also, add to skel bashrc (the one in jail):
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
rsyslog conf:
local6.* -/var/log/cmdlog.log
jk_init -v -j /var/www ssh # or better use init script below
jk_jailuser -s /bin/bash -m -j /var/www XXXX
Raw
jailinit.sh
#!/bin/bash
#
# jailkit helper - alecs@sysops.ro
#
###########################################
if [[ ! -e /usr/sbin/jk_init || ! -e /usr/sbin/jk_cp ]];then
echo "You need jailkit installed for this to work."
exit
fi
if [[ $# -lt 2 ]]; then
echo "Usage: $0 common|devel|root|passwd pathtojail"
exit
fi
if [[ -z $2 || ! -d $2 ]]; then
echo "You specified an empty path or path is not a folder."
exit
fi
case "$1" in
common)
jk_init -f -v $2 basicshell
jk_init -f -v $2 extendedshell
jk_init -f -v $2 editors
jk_init -f -v $2 logbasics
jk_init -f -v $2 netbasics
jk_init -f -v $2 netutils
jk_init -f -v $2 xterm
jk_init -f -v $2 scp
jk_init -v -j $2 ssh
jk_init -v -j $2 sftp
jk_init -v -j $2 jk_lsh
jk_init -f -v $2 uidbasics
jk_cp -v -f $2 /bin/bash
jk_cp -v -f $2 /bin/ls
jk_cp -v -f $2 /bin/ps
jk_cp -v -f $2 /usr/bin/screen
jk_cp -v -f $2 /etc/bash.bashrc
jk_cp -v -f $2 /etc/environment
jk_cp -v -f $2 /etc/profile
jk_cp -v -f $2 /usr/bin/dircolors
jk_cp -v -f $2 /usr/bin/groups
jk_cp -v -f $2 /usr/bin/id
jk_cp -v -f $2 /usr/bin/logger
jk_cp -v -f $2 /usr/bin/who
jk_cp -v -f $2 /usr/bin/whoami
jk_cp -v -f $2 /usr/bin/wall
# better extract/copy /lib/terminfo /usr/share/tabset /usr/share/lintian - ncurses-base
# http://savannah.nongnu.org/bugs/?36906
# http://lists.gnu.org/archive/html/jailkit-users/2010-12/msg00019.html
#
# need add:
# [DEFAULT]
# env = TERM
#
# to /etc/jailkit/jk_chrootsh.ini
#
# /usr/lib/mc
# /etc/mc
# /etc/terminfo
#
jk_cp -v -f $2 /lib/terminfo
jk_cp -v -f $2 /usr/share/tabset
jk_cp -v -f $2 /usr/share/lintian
jk_cp -v -f $2 /usr/lib/mc
jk_cp -v -f $2 /etc/mc
jk_cp -v -f $2 /etc/terminfo
# jk_cp -v -f $2 /usr/bin/irssi
;;
devel)
jk_cp -v -f $2 /usr/bin/cc
jk_cp -v -f $2 /usr/bin/g++
jk_cp -v -f $2 /usr/bin/gcc
jk_cp -v -f $2 /usr/bin/python
jk_cp -v -f $2 /usr/bin/perl
jk_cp -v -f $2 /usr/bin/pork
jk_cp -v -f $2 /usr/share/perl/5.10.0/strict.pm
;;
root)
jk_cp -v -f $2 /bin/su
jk_cp -v -f $2 /etc/sudoers
jk_cp -v -f $2 /usr/bin/sudo
jk_cp -v -f $2 /usr/sbin/usermod
locate pam | sed 's/^.*jail//' | xargs jk_cp -v -f $2
;;
passwd)
jk_cp -v -f $2 /usr/bin/passwd
jk_cp -v -f $2 /var/lib/pam/account
jk_cp -v -f $2 /var/lib/pam/auth
jk_cp -v -f $2 /var/lib/pam/password
jk_cp -v -f $2 /var/lib/pam/seen
jk_cp -v -f $2 /var/lib/pam/session
;;
*)
echo "Usage: $0 common|devel|root|passwd pathtojail"
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment