- Download both the files in a directory.
- Make sure that 'l2chroot.txt' exists in same location
- Run with sudo permission
sudo ./jailuser customuser
This works in Ubuntu and Debian
Created
October 2, 2017 03:37
-
-
Save rambabusaravanan/4e67a47f4a3aa6124d6ec940960fc406 to your computer and use it in GitHub Desktop.
Chroot Jail for SSH / SFTP User in Ubuntu and Debian
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| D=/home/www-sftp | |
| U=$1 | |
| if [ "$EUID" -ne 0 ]; then | |
| echo "Requires root permission .." | |
| echo "Usage: 'sudo $0 newusername'" | |
| exit 1 | |
| fi | |
| if [[ -z "$U" ]]; then | |
| echo "username can't be empty .." | |
| echo "Usage: 'sudo $0 newusername'" | |
| exit 1 | |
| fi | |
| if [ ! -d "$D" ]; then | |
| echo "Creating Jail Root .."; | |
| mkdir -vp $D | |
| ### 1] Create `/dev` directories | |
| ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty} | |
| mkdir -vp $D/dev/ | |
| mknod -m 666 $D/dev/null c 1 3 | |
| mknod -m 666 $D/dev/tty c 5 0 | |
| mknod -m 666 $D/dev/zero c 1 5 | |
| mknod -m 666 $D/dev/random c 1 8 | |
| chown root:root $D | |
| chmod 0755 $D | |
| ls -ld $D | |
| ### 2] Copy required bin commands to $D | |
| # 2.1 download script | |
| # wget http://www.cyberciti.biz/files/lighttpd/l2chroot.txt | |
| mv l2chroot.txt /root/l2chroot | |
| chmod +x /root/l2chroot | |
| # vi /root/l2chroot | |
| # BASE="/home/www-sftp" | |
| # 2.2 make dirs | |
| cd $D | |
| mkdir -vp $D/bin | |
| mkdir -vp $D/lib/ | |
| mkdir -vp $D/lib64/ | |
| mkdir -vp $D/lib/x86_64-linux-gnu/ | |
| # 2.3 copy commands and ldd's | |
| cp -v /bin/bash $D/bin/ | |
| cp -v /bin/ls $D/bin/ | |
| cp -v /bin/date $D/bin/ | |
| /root/l2chroot /bin/bash | |
| /root/l2chroot /bin/ls | |
| /root/l2chroot /bin/date | |
| # ldd /bin/bash | |
| # 2.4 copy other .so's | |
| cp -va /lib/x86_64-linux-gnu/libnss_files* $D/lib/x86_64-linux-gnu/ | |
| # others (for cp users later) | |
| mkdir $D/etc/ | |
| fi | |
| ### 3] users and groups | |
| # 3.1 create user | |
| useradd -g www-data $U | |
| echo "New password for user '$U'"; | |
| passwd $U | |
| # 3.2 copy user list | |
| cp -vf /etc/{passwd,group} $D/etc/ | |
| # On every update | |
| # D=/home/www-sftp | |
| # cp -vf /etc/{passwd,group} $D/etc/ | |
| # 3.3 configure ssh | |
| #vi /etc/ssh/sshd_config | |
| echo "Match User $U" >> /etc/ssh/sshd_config | |
| echo " ChrootDirectory /home/www-sftp" >> /etc/ssh/sshd_config | |
| echo " ForceCommand internal-sftp" >> /etc/ssh/sshd_config | |
| systemctl restart ssh.service | |
| service ssh restart | |
| ### 4] Map Home Directory | |
| mkdir -vp $D/home/$U | |
| chown -R $U:www-data $D/home/$U/ | |
| chmod -R 0700 $D/home/$U/ | |
| ### 5] Mount 'web' Directory | |
| echo "Execute the below to 'Mount the web Directory'" | |
| echo "" | |
| echo "mkdir -v $D/home/$U/folder-name" | |
| echo "mount --bind /var/www/folder-name $D/home/$U/folder-name" | |
| echo "chown $U:www-data $D/home/$U/folder-name/" | |
| echo "echo \"/var/www/folder-name $D/home/$U/folder-name none bind\" >> /etc/fstab" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Use this script to copy shared (libs) files to Apache/Lighttpd chrooted | |
| # jail server. | |
| # ---------------------------------------------------------------------------- | |
| # Written by nixCraft <http://www.cyberciti.biz/tips/> | |
| # (c) 2006 nixCraft under GNU GPL v2.0+ | |
| # + Added ld-linux support | |
| # + Added error checking support | |
| # ------------------------------------------------------------------------------ | |
| # See url for usage: | |
| # http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html | |
| # ------------------------------------------------------------------------------- | |
| # Set CHROOT directory name | |
| # BASE="/webroot" | |
| BASE="/home/www-sftp" | |
| if [ $# -eq 0 ]; then | |
| echo "Syntax : $0 /path/to/executable" | |
| echo "Example: $0 /usr/bin/php5-cgi" | |
| exit 1 | |
| fi | |
| [ ! -d $BASE ] && mkdir -p $BASE || : | |
| # iggy ld-linux* file as it is not shared one | |
| FILES="$(ldd $1 | awk '{ print $3 }' |egrep -v ^'\(')" | |
| echo "Copying shared files/libs to $BASE..." | |
| for i in $FILES | |
| do | |
| d="$(dirname $i)" | |
| [ ! -d $BASE$d ] && mkdir -p $BASE$d || : | |
| /bin/cp $i $BASE$d | |
| done | |
| # copy /lib/ld-linux* or /lib64/ld-linux* to $BASE/$sldlsubdir | |
| # get ld-linux full file location | |
| sldl="$(ldd $1 | grep 'ld-linux' | awk '{ print $1}')" | |
| # now get sub-dir | |
| sldlsubdir="$(dirname $sldl)" | |
| if [ ! -f $BASE$sldl ]; | |
| then | |
| echo "Copying $sldl $BASE$sldlsubdir..." | |
| /bin/cp $sldl $BASE$sldlsubdir | |
| else | |
| : | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment