diff options
| author | Ubuntu <ubuntu@vps-7ebf666e.vps.ovh.net> | 2025-06-26 00:23:53 +0000 |
|---|---|---|
| committer | Ubuntu <ubuntu@vps-7ebf666e.vps.ovh.net> | 2025-06-26 00:23:53 +0000 |
| commit | dd55f98281c1c0c28a5f8df3c87031bc84dd450d (patch) | |
| tree | 22604ccce3a63a1db8d3c9b964acae15c87cf759 | |
| -rwxr-xr-x | bin/create_user.sh | 207 | ||||
| -rwxr-xr-x | bin/review_message.sh | 5 | ||||
| -rwxr-xr-x | bin/sync-cgit-repos.sh | 23 | ||||
| -rwxr-xr-x | deleteuser.sh | 40 | ||||
| -rwxr-xr-x | setown.sh | 120 | ||||
| -rwxr-xr-x | validate.sh | 16 | ||||
| -rw-r--r-- | www/create_user.c | 106 |
7 files changed, 517 insertions, 0 deletions
diff --git a/bin/create_user.sh b/bin/create_user.sh new file mode 100755 index 0000000..9685a3d --- /dev/null +++ b/bin/create_user.sh @@ -0,0 +1,207 @@ +#!/bin/bash +# Script to create a jailed user with restricted access + +# Variables +USERNAME="$1" # Set the username from the first argument +PUBKEY="$2" # Set the password from the second argument +JAIL_DIR="/home/publicaccess" # Set the base jail directory +BASH_PATH="/usr/sbin/jk_chrootsh" # Path to the bash shell +USER_HOME="$JAIL_DIR/home/$USERNAME" # The user's home directory inside the jail +RESTRICTED_PROFILE="$USER_HOME/.bash_profile" # Path to restricted profile + +# Check if Jailkit is installed +if ! command -v jk_init >/dev/null 2>&1; then + echo "Error: Jailkit is not installed. Please install Jailkit before running this script." + echo "On Debian/Ubuntu systems, you can use: apt-get install jailkit" + echo "On Red Hat/CentOS/Fedora systems, you might use: yum install jailkit" + exit 1 +fi + +# Create the jail directory + +# Check if the user already exists +if id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' already exists. Exiting." + exit 1; +fi +# Create the user +sudo useradd -d "/home/publicaccess/home/$USERNAME" -m "$USERNAME" -s /bin/bash +# Set a password for the user +echo "$USERNAME:acsg3Gzc0A!" | sudo chpasswd +sudo passwd -u "$USERNAME" + +# Jailkit configuration +echo "Creating the jail for $USERNAME..." +sudo jk_jailuser -j /home/publicaccess "$USERNAME" +# change line PASSWD +PASSWD_FILE="/home/publicaccess/etc/passwd" + +# Make sure the username is passed in +TEMP_FILE=$(mktemp) + +# Edit the passwd file +awk -F: -v user="$USERNAME" '{ + if ($1 == user) { + $7 = "/usr/local/bin/review_message.sh" + } + print $0 +}' OFS=":" "$PASSWD_FILE" > "$TEMP_FILE" + +# Replace original file +sudo mv "$TEMP_FILE" "$PASSWD_FILE" +echo "Updated shell for $USERNAME to /bin/bash" +echo "PS1='(KILLSWITCH PUBLIC UNIX)$ '" >> "/home/publicaccess/home/$USERNAME/.bashrc" +echo 'echo -e "`cat /usr/local/bin/motd.txt`"' >> "/home/publicaccess/home/$USERNAME/.bashrc" + +# Function to copy a file and create necessary directorie + +# # Function to copy libraries for a given binary - Removed +# copy_libs() { +# local BINARY="$1" +# local LIBS_ARRAY +# LIBS_ARRAY=($(ldd "$BINARY" | awk '/=>/ {print $3}') ) +# +# for LIB in "${LIBS_ARRAY[@]}"; do +# if [ -n "$LIB" ] && [ -e "$LIB" ]; then # Check if the library exists +# JAIL_LIB_PATH="${JAIL_DIR}${LIB#\/}" +# copy_with_dirs "$LIB" "$JAIL_LIB_PATH" +# elif [ -n "$LIB" ]; then +# echo "Warning: Library $LIB not found, but is required by $BINARY" +# fi +# done +# } + +# # Copy essential commands and their libraries - Removed +# declare -a ESSENTIAL_BINS +# # Check for existence in /bin and /usr/bin, use the correct path +# if [ -e "/bin/ls" ]; then +# ESSENTIAL_BINS+=("/bin/ls") +# else +# ESSENTIAL_BINS+=("/usr/bin/ls") +# fi +# if [ -e "/bin/pwd" ]; then +# ESSENTIAL_BINS+=("/bin/pwd") +# else +# ESSENTIAL_BINS+=("/usr/bin/pwd") +# fi +# if [ -e "/bin/cat" ]; then +# ESSENTIAL_BINS+=("/bin/cat") +# else +# ESSENTIAL_BINS+=("/usr/bin/cat") +# fi +# if [ -e "/bin/echo" ]; then +# ESSENTIAL_BINS+=("/bin/echo") +# else +# ESSENTIAL_BINS+=("/usr/bin/echo") +# fi +# if [ -e "/bin/mkdir" ]; then +# ESSENTIAL_BINS+=("/bin/mkdir") +# else +# ESSENTIAL_BINS+=("/usr/bin/mkdir") +# fi +# if [ -e "/bin/cd" ]; then +# ESSENTIAL_BINS+=("/bin/cd") +# else +# ESSENTIAL_BINS+=("/usr/bin/cd") +# fi +# ESSENTIAL_BINS+=("/usr/bin/passwd") # /usr/bin/passwd is standard +# if [ -e "/bin/bash" ]; then +# ESSENTIAL_BINS+=("/bin/bash") +# else +# ESSENTIAL_BINS+=("/usr/bin/bash") +# fi +# +# for BIN in "${ESSENTIAL_BINS[@]}"; do +# jk_cp -v -j "$JAIL_DIR" "$BIN" +# copy_libs "$BIN" +# done +jk_cp -v -j "/home/publicaccess" "/usr/bin/gcc" +jk_cp -v -j "/home/publicaccess" "/usr/bin/g++" +jk_cp -v -j "/home/publicaccess" "/usr/bin/make" +jk_cp -v -j "/home/publicaccess" "/usr/sbin/jk_lsh" +jk_cp -v -j "/home/publicaccess" "/usr/local/bin/review_message.sh" + + +# Create necessary directories within the jail +mkdir -p "$USER_HOME/.ssh" +CLEAN_PUBKEY=$(python3 -c "import urllib.parse; print(urllib.parse.unquote_plus('$PUBKEY'))") + +echo "$CLEAN_PUBKEY" > "$USER_HOME/.ssh/authorized_keys" +chmod 700 "$USER_HOME/.ssh" +chmod 600 "$USER_HOME/.ssh/authorized_keys" +mkdir -p "$USER_HOME/tmp" # Create a /tmp directory +chmod 777 "$USER_HOME/tmp" # Set permissions for /tmp + +# Create a restricted .bash_profile +cat > "$RESTRICTED_PROFILE" <<EOL +# Restricted .bash_profile for $USERNAME + + +# Prevent the user from changing the PATH +readonly PATH +HOME="$HOME" + + +# Additional restrictions (optional, but recommended) +# Disallow variable assignment + set -o nounset + +# Disallow redirection (including <<, >, >>) + set -o no_redirection + +# You can add aliases for allowed commands here + +stty erase ^H + +# Prompts +PS1='(KILLSWITCH PUBLIC UNIX)$ ' + +#unset -f type +#unset -f hash +echo -e "`cat /usr/local/bin/motd.txt`" + +EOL + +# Set permissions (important for security) +chown -R root:root "$JAIL_DIR" +chmod -R 755 "$JAIL_DIR" +chmod 700 "$USER_HOME/.ssh" +chown "$USERNAME":"$USERNAME" "$USER_HOME" +chown "$USERNAME":"$USERNAME" "$USER_HOME/.ssh" +#chmod 644 "$RESTRICTED_PROFILE" # Make .bash_profile readable only by owner +sudo chown root:root "$RESTRICTED_PROFILE" + +# Create default www directory for web access +WWW_DIR="$USER_HOME/www" +mkdir -p "$WWW_DIR" +cat > "$WWW_DIR/index.html" <<EOF +<!DOCTYPE html> +<html> +<head> + <title>Welcome to Killswitch</title> + <meta charset="UTF-8"> +</head> +<body> + <h1>Hello from ~${USERNAME}</h1> + <p>This is your public web directory. Place your files here.</p> +</body> +</html> +EOF + +# Set permissions for web access +sudo chown -R "$USERNAME":"$USERNAME" "$USER_HOME" +chmod 755 "$WWW_DIR" +chmod 644 "$WWW_DIR/index.html" +chown -R "$USERNAME:$USERNAME" "$WWW_DIR" +sudo /home/ubuntu/setown.sh + + +if id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' created successfully." + exit 0 +else + echo "Error: User creation failed." >&2 + exit 1 +fi + +sudo /home/ubuntu/setown.sh diff --git a/bin/review_message.sh b/bin/review_message.sh new file mode 100755 index 0000000..97f52a7 --- /dev/null +++ b/bin/review_message.sh @@ -0,0 +1,5 @@ +#!/bin/bash +echo "Your account is under review." +echo "Approval usually takes up to 24 hours." +echo "If you have questions, contact: blackburnarson@netzero.net" +exit 1 diff --git a/bin/sync-cgit-repos.sh b/bin/sync-cgit-repos.sh new file mode 100755 index 0000000..007d2c7 --- /dev/null +++ b/bin/sync-cgit-repos.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +BASE_HOME="/home/publicaccess/home" +CGIT_DIR="/srv/git/listed" + +mkdir -p "$CGIT_DIR" + +for user_dir in "$BASE_HOME"/*; do + [ -d "$user_dir/git/listed" ] || continue + username=$(basename "$user_dir") + + for repo in "$user_dir/git/listed/"*.git; do + [ -d "$repo" ] || continue + reponame=$(basename "$repo") + mount_point="${CGIT_DIR}/${username}-${reponame}" + + # Create the mount point directory if it doesn't exist + mkdir -p "$mount_point" + + # Bind mount the repo to the cgit directory + mountpoint -q "$mount_point" || mount --bind "$repo" "$mount_point" + done +done diff --git a/deleteuser.sh b/deleteuser.sh new file mode 100755 index 0000000..d4a3841 --- /dev/null +++ b/deleteuser.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Check if username is provided +if [ -z "$1" ]; then + echo "Usage: $0 <username>" + exit 1 +fi + +USERNAME="$1" +JAIL_DIR="/home/publicaccess" +USER_HOME="$JAIL_DIR/home/$USERNAME" +PASSWD_FILE="$JAIL_DIR/etc/passwd" + +# Check if the user exists on the system +if ! id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' does not exist on the host system." +else + echo "Removing user '$USERNAME' from the system..." + sudo userdel -r "$USERNAME" +fi + +# Remove user from jail passwd file if present +if [ -f "$PASSWD_FILE" ]; then + sudo sed -i "/^$USERNAME:/d" "$PASSWD_FILE" +fi + +# Delete the user's jailed home directory +if [ -d "$USER_HOME" ]; then + echo "Deleting jailed home directory: $USER_HOME" + sudo rm -rf "$USER_HOME" +fi + +# Remove from group file if applicable +GROUP_FILE="$JAIL_DIR/etc/group" +if [ -f "$GROUP_FILE" ]; then + sudo sed -i "/^$USERNAME:/d" "$GROUP_FILE" +fi + +echo "User '$USERNAME' deleted from system and jail (if present)." +exit 0 diff --git a/setown.sh b/setown.sh new file mode 100755 index 0000000..062cc17 --- /dev/null +++ b/setown.sh @@ -0,0 +1,120 @@ +#!/bin/bash + +# Set the base directory +BASE_DIR="/home/publicaccess/home" + +# Iterate over each directory inside /home/publicaccess/home/ +for dir in "$BASE_DIR"/*/; do + # Check if it's a directory + if [ -d "$dir" ]; then + # Extract the directory name (username) + cp motd.txt "$dir"/motd.txt + + username=$(basename "$dir") + setfacl -m mask::rwx "$dir" + + # Apply chmod 700 to the user's home directory to keep it secure + chown "$username:$username" "$dir"/motd.txt + + # Set ownership of the home directory to the user + chown "$username:$username" "$dir" + # Set permissions so SSH can enter the dir, but no one else can list + setfacl -m u:"$username":rwx "$dir" + # Block access to this dir from all other users + for otherdir in "$BASE_DIR"/*; do + otheruser=$(basename "$otherdir") + if [ "$otheruser" != "$username" ]; then + setfacl -m u:$otheruser:0 "$dir" + fi + + done + + # Create or overwrite the .bashrc with environment restrictions + cat << 'EOF' > "$dir/.bashrc" +# Restricted shell environment + +# Set and lock important variables +export PATH="/bin:/usr/bin:/safecommands" +export HOME="$HOME" +export SHELL="/bin/bash" +export TERM="xterm-256color" + +readonly PATH +readonly HOME +readonly SHELL +readonly TERM + +# Disable export and unset commands +export() { + echo "export: Command not allowed." +} + +unset() { + echo "unset: Command not allowed." +} + +# Disable direct use of 'git' +git() { + echo "Direct use of 'git' is disabled. Use the git-init-h tool." +} + +# Set noclobber option to prevent overwriting files +set -o noclobber +PS1='(KILLSWITCH PUBLIC ACCESS)$ ' +echo -e "`cat motd.txt`" + +# Welcome message +echo "Welcome UUSER." + +EOF + + # Create or overwrite the .bash_profile to source .bashrc + cat << 'EOF' > "$dir/.bash_profile" +# Source the restricted .bashrc if it exists +if [ -f ~/.bashrc ]; then + . ~/.bashrc +fi + +PS1='(KILLSWITCH PUBLIC UNIX)$ ' +echo -e "`cat motd.txt`" +EOF + + # Set permissions: .bashrc and .bash_profile readable but NOT writable by user + chmod 755 "$dir/.bashrc" + chmod 755 "$dir/.bash_profile" + + # Set ownership of .bashrc and .bash_profile to root:root + sudo chown root:root "$dir/.bashrc" + sudo chown root:root "$dir/.bash_profile" + + # Set the permissions on the user's git directory so it's readable by everyone + git_dir="$dir/git" + sudo mkdir -p "$git_dir/listed" + # Ensure that the git directory exists + if [ -d "$git_dir" ]; then + # Set the permissions so the git directory is readable by everyone, but only writable by the owner + sudo chmod -R 755 "$git_dir" + sudo chown -R "$username:$username" "$git_dir" + fi + + echo "Configured restricted shell for $username in $dir" + fi + + sudo chown -R "$username":"$username" "$dir/.ssh" + chmod 701 "$dir" + chmod 600 /home/publicaccess/home/"$username"/.ssh/authorized_keys + chmod 700 /home/publicaccess/home/"$username"/.ssh + setfacl -m g::r-x "$dir" + + setfacl -m mask::r-x "$dir" + +done +setfacl -m g::r-x "/home/publicaccess/home" +setfacl -m g::r-x "/home/publiccaccess" +# Set the permissions for the shared git folder +sudo chown root:root /srv/git/listed +sudo chmod 755 /srv/git/listed +sudo setfacl -R -m u:www-data:rx /srv/git/listed + +echo "Completed applying permissions, ownership, and restrictions to all directories inside $BASE_DIR." + diff --git a/validate.sh b/validate.sh new file mode 100755 index 0000000..a421a6a --- /dev/null +++ b/validate.sh @@ -0,0 +1,16 @@ +#!/bin/bash +USERNAME="$1" +JAIL_PASSWD="/home/publicaccess/etc/passwd" + +# Change shell back to bash in jail +awk -F: -v user="$USERNAME" '{ + if ($1 == user) { + $7 = "/bin/bash" + } + print $0 +}' OFS=":" "$JAIL_PASSWD" > /tmp/passwd.tmp && sudo mv /tmp/passwd.tmp "$JAIL_PASSWD" + +# Unlock the user +usermod -U "$USERNAME" +echo "User $USERNAME approved and unlocked." + diff --git a/www/create_user.c b/www/create_user.c new file mode 100644 index 0000000..19768fc --- /dev/null +++ b/www/create_user.c @@ -0,0 +1,106 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#define MAX_INPUT 4000 +// Function to parse POST data +void parse_post(char* data, char* username, char* password) { + sscanf(data, "username=%[^&]&password=%s", username, password); +} +void mask_password(char *src, char *dest) { + size_t len = strlen(src); + for (size_t i = 0; i < len; i++) { + dest[i] = '*'; + } + dest[len] = '\0'; +} + +int main() { + printf("Content-type: text/html\n\n"); +printf("<!DOCTYPE html>\n"); +printf("<html>\n"); +printf("<head><style> .description {"); + printf("text-align: justify; /* Make the text have even left and right edges */"); + + printf(" max-width: 700px; /* Example: Limit the width of the paragraph */ }"); + +printf(" </style>\n"); +printf("<title>KILLSWITCH PUBLIC ACCESS</title>\n"); +printf("<style>\n"); +printf("a { text-decoration: none; }\n"); +printf("a:hover { text-decoration: underline; }\n"); +printf("a:link, a:visited, a:active { color: #999999; }\n"); +printf(".plate {\n"); +printf(" background: linear-gradient(rgba(0,0,0,0.75), rgba(0,0,0,0.2), rgba(0,0,0,0.0)), url(https://computerarson.neocities.org/PvnaJep.png);\n"); +printf(" padding-left: 5px;\n"); +printf(" padding-right: 5px;\n"); +printf(" padding-bottom: 5px;\n"); +printf("}\n"); +printf(".form-td {\n"); +printf(" background-color: #D3D3D3;\n"); +printf(" color: white;\n"); +printf("}\n"); +printf("input {\n"); +printf(" border-color: #800000;\n"); +printf(" border-style: solid;\n"); +printf(" border-width: 1px;\n"); +printf(" font-family: verdana;\n"); +printf(" font-size: 10px;\n"); +printf("}\n"); +printf(".submit-btn {\n"); +printf(" border-color: #800000;\n"); +printf(" border-style: solid;\n"); +printf(" border-width: 1px;\n"); +printf(" color: #800000;\n"); +printf(" font-size: 15px;\n"); +printf("}\n"); +printf("</style>\n"); +printf("</head>\n"); +printf("<body bgcolor=\"black\" topmargin=\"0\" marginheight=\"0\" marginwidth=\"0\" style=\"margin-top: 0px;\">\n"); +printf("<table cellspacing=\"0\" cellpadding=\"0\" width=\"720\" align=\"center\">\n"); +printf("<tr><td bgcolor=\"black\" valign=\"top\">\n"); +printf("<div style=\"margin-top: 8px; margin-left: 15px; margin-right: 5px;\" align=\"right\" class=\"welcome\">\n"); +printf("<b></b> <br><br>\n"); +printf("</div>\n"); +printf("</td></tr>\n"); +printf("<tr style=\"border: 1px solid #800000;\"><td class=\"plate\" style=\"border: 1px solid #800000;\" valign=\"top\">\n"); +printf("<div align=\"center\">\n"); +printf("<table cellspacing=\"2\" cellpadding=\"10\" border=\"0\" width=\"97%%\">\n"); +printf("<tr><td valign=\"top\">\n"); +printf("<font face=\"verdana\" size=\"3\" color=\"#999999\" margin=\"1\">\n"); +printf("KILLSWITCH PUBLIC ACCESS SYSTEM <br><br>\n"); +printf("</font>\n"); +printf("<font face=\"verdana\" size=\"2\" color=\"#999999\" margin=\"1\">\n"); +printf("</font> <br>\n <font face=\"verdana\" size=\"3\" color=\"#999999\" margin=\"1\">"); + + char *content_length = getenv("CONTENT_LENGTH"); + int len = content_length ? atoi(content_length) : 0; + + char post_data[MAX_INPUT] = {0}; + fread(post_data, 1, len, stdin); + char username[64] = {0}, password[3000] = {0}; + parse_post(post_data, username, password); + + + if (strlen(username) == 0 || strlen(password) == 0) { + printf("<p>Invalid username or password.</p>"); + + return 1; + } + + // Call external shell script to create jailed user + char cmd[MAX_INPUT]; + snprintf(cmd, sizeof(cmd), "sudo /usr/local/bin/create_user.sh '%s' '%s' > /tmp/create_user_log.txt 2>&1", username, password); + int result = system(cmd); + if (WIFEXITED(result) && WEXITSTATUS(result) == 0) { + char masked[64]; + mask_password(password, masked); + printf("<h1>Account Created Successfully</h1>\n"); + printf("<p><b>Username:</b> %s</p>\n", username); + printf("<p class=\"description\"><b>Password:</b> %s</p>\n", masked); + } else { + printf("<h1>Failure</h1><p>Could not create user. Exit code: %d</p>", WEXITSTATUS(result)); + } + + return 0; +} |