#!/bin/sh # # (c) Copyright by Wolfgang Fuschlberger # http://www.fuschlberger.net/programs/ssh-scp-chroot-jail/ # # Traducido y modificado por David Martín :: Suki_ :: # http://sukiweb.net # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # ( http://www.fsf.org/licenses/gpl.txt ) ################################################################################ # Check if we are called with username or update if [ -z "$1" ] ; then echo echo "Error: Faltan parámetros." echo "-------------------------------------------------------------" echo "Crear una nueva cuenta en jaula:" echo "Uso: $0 usuario" echo echo "o especifica \$SHELL y ruta donde está la jaula localizada:" echo "Uso: $0 usuario [/path/to/chroot-shell [/path/to/jail]]" echo "Default shell = /bin/chroot-usuario" echo "Default chroot-path = /home/usuario" echo "-------------------------------------------------------------" echo "Actualizando ficheros de la jaula:" echo "Uso: $0 update [/path/to/chroot-shell [/path/to/jail]]" echo "-------------------------------------------------------------" echo "Eliminar jaula: # userdel usuario" echo " # rm -rf /home/usuario" echo " # rm -f /bin/chroot-usuario" echo " borrar las lineas de /etc/sudoers" exit fi echo "¿Soy root? " if [ "$(whoami &2>/dev/null)" != "root" ] && [ "$(id -un &2>/dev/null)" != "root" ] ; then echo " ¡NO! Error: Necesitas ser root para ejecutar este script." exit 1 fi echo " OK"; # Check existence of necessary files echo "Chequeando distribución... " if [ -f /etc/debian_version ]; then echo " Distrubución detectada" echo " El sistema es Debian Linux" DISTRO=DEBIAN; elif [ -f /etc/SuSE-release ]; then echo " Distribución detectada" echo " El sistema es SuSE Linux" DISTRO=SUSE; elif [ -f /etc/fedora-release ]; then echo " Distribución detectada" echo " El sistema es Fedora Linux" DISTRO=FEDORA; elif [ -f /etc/redhat-release ]; then echo " Distribución detectada" echo " El sistema es Red Hat Linux" DISTRO=REDHAT; else echo -e " fallo...........\nEste script funciona mejore en Debian, Red Hat, Fedora and SuSE Linux!\nSin embargo puedes probarlo....\nSi algunos archivos no son encontrados, revise a partir de la línea 98\n" #exit 1 fi # Specify the apps you want to copy to the jail if [ "$DISTRO" = SUSE ]; then APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/netcat /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd" elif [ "$DISTRO" = FEDORA ]; then APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd" elif [ "$DISTRO" = REDHAT ]; then APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/nc /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd" elif [ "$DISTRO" = DEBIAN ]; then APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /sbin/unix_chkpwd" else APPS="/bin/bash /bin/cp /usr/bin/dircolors /bin/ls /bin/mkdir /bin/mv /bin/rm /bin/rmdir /bin/sh /bin/su /usr/bin/groups /usr/bin/id /usr/bin/rsync /usr/bin/ssh /usr/bin/scp /usr/sbin/unix_chkpwd" fi # Check existence of necessary files echo "Comprobando si existe... " if ( test -f /usr/bin/which ) || ( test -f /bin/which ) || ( test -f /sbin/which ) || ( test -f /usr/sbin/which ); then echo " OK"; else echo " Fallo por favor, instale which-binary! " exit 1 fi echo "Comprobadno chroot..." if [ `which chroot` ]; then echo " OK"; else echo " Fallo chroot no encontrado! Por favor, instale chroot-package/binary! " exit 1 fi echo "Comprobando sudo..." if [ `which sudo` ]; then echo " OK"; else echo " Fallo sudo no encontrado! Por favor, instale sudo-package/binary! " exit 1 fi echo "Comprobando dirname..." if [ `which dirname` ]; then echo " OK"; else echo " Fallo dirname no encontrado! Por favor, instale dirname-binary (puede encontrarlo en el paquete coreutils)! " exit 1 fi echo "Comprobando awk..." if [ `which awk` ]; then echo " OK "; else echo " Fallo awk no encontrado! Por favor, instale (g)awk-package/binary! " exit 1 fi # get location of sftp-server binary from /etc/ssh/sshd_config # check for existence of /etc/ssh/sshd_config and for # (uncommented) line with sftp-server filename. If neither exists, just skip # this step and continue without sftp-server # if (test ! -f /etc/ssh/sshd_config &> /dev/null); then echo " Fichero /etc/ssh/sshd_config no encontrado. No se comprueba la ruta de sftp-server. "; else if !(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server &> /dev/null); then echo "Obviamente no hay ningún servidor sftp-server en el sistema. "; else SFTP_SERVER=$(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server | awk '{ print $3}') fi fi #if !(grep -v "^#" /etc/ssh/sshd_config | grep -i sftp-server /etc/ssh/sshd_config | awk '{ print $3}' &> /dev/null); then APPS="$APPS $SFTP_SERVER" # Get accountname to create CHROOT_USERNAME=$1 if ! [ -z "$2" ] ; then SHELL=$2 else SHELL=/bin/chroot-$CHROOT_USERNAME fi if ! [ -z "$3" ] ; then JAILPATH=$3 else JAILPATH=/home/$CHROOT_USERNAME fi # Exit if user already exists #id $CHROOT_USERNAME > /dev/null 2>&1 && { echo "User exists."; echo "Exiting."; exit 1; } if ( id $CHROOT_USERNAME > /dev/null 2>&1 ) ; then { echo " ----------------------------- Usuario $CHROOT_USERNAME ya existe. ¿Estás seguro de querer modificar el home del usuario y meterlo en un directorio chroot? ¿Estás realmente seguro? Teclea s sólo si estás absolutamente seguro" read -p "(s/n) -> " MODIFYUSER if [ "$MODIFYUSER" != "s" ]; then echo " No ha tecleado s. Saliendo..." exit 1 fi } else CREATEUSER="yes" fi # Create $SHELL (shell for jailed accounts) if [ -f ${SHELL} ] ; then echo " ----------------------------- El fichero $SHELL ya existe. Probablemente está creado por este script. ¿Estás seguro de que deseas sobreescribirlo? (puedes decir s si quieres tener varios usuarios en la misma jaula)" read -p "(s/n) -> " OVERWRITE if [ "$OVERWRITE" != "s" ]; then echo " No ha tecleado s. Saliendo..." exit 1 fi else echo "Creando $SHELL" echo '#!/bin/sh' > $SHELL echo "`which sudo` `which chroot` $JAILPATH /bin/su - \$USER" \"\$@\" >> $SHELL chmod 755 $SHELL fi # make common jail for everybody if inexistent if [ ! -d ${JAILPATH} ] ; then mkdir -p ${JAILPATH} echo "Creando ${JAILPATH}" fi cd ${JAILPATH} # Create directories in jail that do not exist yet JAILDIRS="dev etc etc/pam.d bin home sbin usr usr/bin usr/lib" for directory in $JAILDIRS ; do if [ ! -d "$JAILPATH/$directory" ] ; then mkdir $JAILPATH/"$directory" echo "Creando $JAILPATH/$directory" fi done echo # Comment in the following lines if your apache can't read the directories and # uses the security contexts # Fix security contexts so Apache can read files #CHCON=$(`which chcon`) #if [ -n "$CHCON" ] && [ -x $CHCON ]; then # $CHCON -t home_root_t $JAILPATH/home # $CHCON -t user_home_dir_t $JAILPATH/home/$CHROOT_USERNAME #fi # Creating necessary devices [ -r $JAILPATH/dev/urandom ] || mknod $JAILPATH/dev/urandom c 1 9 [ -r $JAILPATH/dev/null ] || mknod -m 666 $JAILPATH/dev/null c 1 3 [ -r $JAILPATH/dev/zero ] || mknod -m 666 $JAILPATH/dev/zero c 1 5 [ -r $JAILPATH/dev/tty ] || mknod -m 666 $JAILPATH/dev/tty c 5 0 # if we only want to update the files in the jail # skip the creation of the new account if [ "$1" != "update" ]; then # Modifiy /etc/sudoers to enable chroot-ing for users # must be removed by hand if account is deleted echo "Modificando /etc/sudoers" echo "$CHROOT_USERNAME ALL=NOPASSWD: `which chroot`, /bin/su - $CHROOT_USERNAME" >> /etc/sudoers # Define HomeDir for simple referencing HOMEDIR="$JAILPATH/home/$CHROOT_USERNAME" # Create new account, setting $SHELL to the above created script and # $HOME to $JAILPATH/home/* if [ "$CREATEUSER" != "yes" ] ; then echo " No se crea una nueva cuenta de usuario Modificando usuario \"$CHROOT_USERNAME\" Copiando los ficheros en el home de $CHROOT_USERNAME de \"$HOMEDIR\" " usermod -d "$HOMEDIR" -m -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR" fi if [ "$CREATEUSER" = "yes" ] ; then { echo "Agregando usuario \"$CHROOT_USERNAME\" al sistema" useradd -m -d "$HOMEDIR" -s "$SHELL" $CHROOT_USERNAME && chmod 700 "$HOMEDIR" # Enter password for new account if !(passwd $CHROOT_USERNAME); then echo "Probablemente el password no coincida, intentelo de nuevo." exit 1; fi echo } fi # Create /usr/bin/groups in the jail echo "#!/bin/bash" > usr/bin/groups echo "id -Gn" >> usr/bin/groups chmod 755 usr/bin/groups # Add users to etc/passwd # # check if file exists (ie we are not called for the first time) # if yes skip root's entry and do not overwrite the file if [ ! -f etc/passwd ] ; then grep /etc/passwd -e "^root" > ${JAILPATH}/etc/passwd fi if [ ! -f etc/group ] ; then grep /etc/group -e "^root" > ${JAILPATH}/etc/group # add the group for all users to etc/group (otherwise there is a nasty error # message and probably because of that changing directories doesn't work with # winSCP) grep /etc/group -e "^users" >> ${JAILPATH}/etc/group fi # grep the username which was given to us from /etc/passwd and add it # to ./etc/passwd replacing the $HOME with the directory as it will then # appear in the jail echo "Agregando usuario $CHROOT_USERNAME a la jaula" grep -e "^$CHROOT_USERNAME:" /etc/passwd | \ sed -e "s#$JAILPATH##" \ -e "s#$SHELL#/bin/bash#" >> ${JAILPATH}/etc/passwd # if the system uses one account/one group we write the # account's group to etc/group grep -e "^$CHROOT_USERNAME:" /etc/group >> ${JAILPATH}/etc/group # write the user's line from /etc/shadow to /home/jail/etc/shadow grep -e "^$CHROOT_USERNAME:" /etc/shadow >> ${JAILPATH}/etc/shadow chmod 600 ${JAILPATH}/etc/shadow # endif for =! update fi # Copy the apps and the related libs echo "Copiando los fichero necesarios a la jaula (puede llevar un tiempo)" # The original code worked fine on RedHat 7.3, but did not on FC3. # On FC3, when the 'ldd' is done, there is a 'linux-gate.so.1' that # points to nothing (or a 90xb.....), and it also does not pick up # some files that start with a '/'. To fix this, I am doing the ldd # to a file called ldlist, then going back into the file and pulling # out the libs that start with '/' # # Randy K. # # The original code worked fine on 2.4 kernel systems. Kernel 2.6 # introduced an internal library called 'linux-gate.so.1'. This # 'phantom' library caused non-critical errors to display during the # copy since the file does not actually exist on the file system. # To fix re-direct output of ldd to a file, parse the file and get # library files that start with / # if [ -x ${HOME}/ldlist ]; then mv ${HOME}/ldlist ${HOME}/ldlist.bak fi if [ -x ${HOME}/lddlist2 ]; then mv ${HOME}/lddlist2 ${HOME}/lddlist2.bak fi for app in $APPS; do # First of all, check that this application exists if [ -x $app ]; then # Check that the directory exists; create it if not. app_path=`echo $app | sed -e 's#\(.\+\)/[^/]\+#\1#'` if ! [ -d .$app_path ]; then mkdir -p .$app_path fi # If the files in the chroot are on the same file system as the # original files you should be able to use hard links instead of # copying the files, too. Symbolic links cannot be used, because the # original files are outside the chroot. cp -p $app .$app # get list of necessary libraries ldd $app >> ${HOME}/ldlist fi done # Clear out any old temporary file before we start if [ -e ${HOME}/ldlist2 ]; then rm ${HOME}/ldlist2 fi for libs in `cat ${HOME}/ldlist`; do frst_char="`echo $libs | cut -c1`" if [ "$frst_char" = "/" ]; then echo "$libs" >> ${HOME}/ldlist2 fi done for lib in `cat ${HOME}/ldlist2`; do mkdir -p .`dirname $lib` > /dev/null 2>&1 # If the files in the chroot are on the same file system as the original # files you should be able to use hard links instead of copying the files, # too. Symbolic links cannot be used, because the original files are # outside the chroot. cp $lib .$lib done # # Now, cleanup the 2 files we created for the library list # /bin/rm -f ${HOME}/ldlist /bin/rm -f ${HOME}/ldlist2 # Necessary files that are not listed by ldd. # # There might be errors because of files that do not exist but in the end it # may work nevertheless (I added new file names at the end without deleting old # ones for reasons of backward compatibility). # So please test ssh/scp before reporting a bug. if [ "$DISTRO" = SUSE ]; then cp /lib/libnss_compat.so.2 /lib/libnss_files.so.2 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/ elif [ "$DISTRO" = FEDORA ]; then cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-ldb.so.3 /lib/ld-lsb.so.3 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/ cp /lib/*.* ${JAILPATH}/lib/ cp /usr/lib/libcrack.so.2 ${JAILPATH}/usr/lib/ elif [ "$DISTRO" = REDHAT ]; then cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/ld-linux.so.2 /lib/ld-lsb.so.3 /lib/libnss_dns.so.2 /lib/libxcrypt.so.1 ${JAILPATH}/lib/ # needed for scp on RHEL echo "export LD_LIBRARY_PATH=/usr/kerberos/lib" >> ${JAILPATH}/etc/profile elif [ "$DISTRO" = DEBIAN ]; then cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/ else cp /lib/libnss_compat.so.2 /lib/libnsl.so.1 /lib/libnss_files.so.2 /lib/libcap.so.1 /lib/libnss_dns.so.2 ${JAILPATH}/lib/ fi # if you are using a 64 bit system and have strange problems with login comment # the following lines in, perhaps it works then (motto: if you can't find the # needed library just copy all of them) # #cp /lib/*.* ${JAILPATH}/lib/ #cp /lib/lib64/*.* ${JAILPATH}/lib/lib64/ # if you are using PAM you need stuff from /etc/pam.d/ in the jail, echo "Copiando ficheros de /etc/pam.d/ a la jaula" cp /etc/pam.d/* ${JAILPATH}/etc/pam.d/ # ...and of course the PAM-modules... echo "Copiando PAM-Modules a la jaula" cp -r /lib/security ${JAILPATH}/lib/ # ...and something else useful for PAM cp -r /etc/security ${JAILPATH}/etc/ cp /etc/login.defs ${JAILPATH}/etc/ if [ -f /etc/DIR_COLORS ] ; then cp /etc/DIR_COLORS ${JAILPATH}/etc/ fi # Don't give more permissions than necessary chown root.root ${JAILPATH}/bin/su chmod 700 ${JAILPATH}/bin/su exit