diff options
Diffstat (limited to 'bin/create_user.sh')
| -rwxr-xr-x | bin/create_user.sh | 207 |
1 files changed, 207 insertions, 0 deletions
diff --git a/bin/create_user.sh b/bin/create_user.sh new file mode 100755 index 0000000..9685a3d --- /dev/null +++ b/bin/create_user.sh @@ -0,0 +1,207 @@ +#!/bin/bash +# Script to create a jailed user with restricted access + +# Variables +USERNAME="$1" # Set the username from the first argument +PUBKEY="$2" # Set the password from the second argument +JAIL_DIR="/home/publicaccess" # Set the base jail directory +BASH_PATH="/usr/sbin/jk_chrootsh" # Path to the bash shell +USER_HOME="$JAIL_DIR/home/$USERNAME" # The user's home directory inside the jail +RESTRICTED_PROFILE="$USER_HOME/.bash_profile" # Path to restricted profile + +# Check if Jailkit is installed +if ! command -v jk_init >/dev/null 2>&1; then + echo "Error: Jailkit is not installed. Please install Jailkit before running this script." + echo "On Debian/Ubuntu systems, you can use: apt-get install jailkit" + echo "On Red Hat/CentOS/Fedora systems, you might use: yum install jailkit" + exit 1 +fi + +# Create the jail directory + +# Check if the user already exists +if id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' already exists. Exiting." + exit 1; +fi +# Create the user +sudo useradd -d "/home/publicaccess/home/$USERNAME" -m "$USERNAME" -s /bin/bash +# Set a password for the user +echo "$USERNAME:acsg3Gzc0A!" | sudo chpasswd +sudo passwd -u "$USERNAME" + +# Jailkit configuration +echo "Creating the jail for $USERNAME..." +sudo jk_jailuser -j /home/publicaccess "$USERNAME" +# change line PASSWD +PASSWD_FILE="/home/publicaccess/etc/passwd" + +# Make sure the username is passed in +TEMP_FILE=$(mktemp) + +# Edit the passwd file +awk -F: -v user="$USERNAME" '{ + if ($1 == user) { + $7 = "/usr/local/bin/review_message.sh" + } + print $0 +}' OFS=":" "$PASSWD_FILE" > "$TEMP_FILE" + +# Replace original file +sudo mv "$TEMP_FILE" "$PASSWD_FILE" +echo "Updated shell for $USERNAME to /bin/bash" +echo "PS1='(KILLSWITCH PUBLIC UNIX)$ '" >> "/home/publicaccess/home/$USERNAME/.bashrc" +echo 'echo -e "`cat /usr/local/bin/motd.txt`"' >> "/home/publicaccess/home/$USERNAME/.bashrc" + +# Function to copy a file and create necessary directorie + +# # Function to copy libraries for a given binary - Removed +# copy_libs() { +# local BINARY="$1" +# local LIBS_ARRAY +# LIBS_ARRAY=($(ldd "$BINARY" | awk '/=>/ {print $3}') ) +# +# for LIB in "${LIBS_ARRAY[@]}"; do +# if [ -n "$LIB" ] && [ -e "$LIB" ]; then # Check if the library exists +# JAIL_LIB_PATH="${JAIL_DIR}${LIB#\/}" +# copy_with_dirs "$LIB" "$JAIL_LIB_PATH" +# elif [ -n "$LIB" ]; then +# echo "Warning: Library $LIB not found, but is required by $BINARY" +# fi +# done +# } + +# # Copy essential commands and their libraries - Removed +# declare -a ESSENTIAL_BINS +# # Check for existence in /bin and /usr/bin, use the correct path +# if [ -e "/bin/ls" ]; then +# ESSENTIAL_BINS+=("/bin/ls") +# else +# ESSENTIAL_BINS+=("/usr/bin/ls") +# fi +# if [ -e "/bin/pwd" ]; then +# ESSENTIAL_BINS+=("/bin/pwd") +# else +# ESSENTIAL_BINS+=("/usr/bin/pwd") +# fi +# if [ -e "/bin/cat" ]; then +# ESSENTIAL_BINS+=("/bin/cat") +# else +# ESSENTIAL_BINS+=("/usr/bin/cat") +# fi +# if [ -e "/bin/echo" ]; then +# ESSENTIAL_BINS+=("/bin/echo") +# else +# ESSENTIAL_BINS+=("/usr/bin/echo") +# fi +# if [ -e "/bin/mkdir" ]; then +# ESSENTIAL_BINS+=("/bin/mkdir") +# else +# ESSENTIAL_BINS+=("/usr/bin/mkdir") +# fi +# if [ -e "/bin/cd" ]; then +# ESSENTIAL_BINS+=("/bin/cd") +# else +# ESSENTIAL_BINS+=("/usr/bin/cd") +# fi +# ESSENTIAL_BINS+=("/usr/bin/passwd") # /usr/bin/passwd is standard +# if [ -e "/bin/bash" ]; then +# ESSENTIAL_BINS+=("/bin/bash") +# else +# ESSENTIAL_BINS+=("/usr/bin/bash") +# fi +# +# for BIN in "${ESSENTIAL_BINS[@]}"; do +# jk_cp -v -j "$JAIL_DIR" "$BIN" +# copy_libs "$BIN" +# done +jk_cp -v -j "/home/publicaccess" "/usr/bin/gcc" +jk_cp -v -j "/home/publicaccess" "/usr/bin/g++" +jk_cp -v -j "/home/publicaccess" "/usr/bin/make" +jk_cp -v -j "/home/publicaccess" "/usr/sbin/jk_lsh" +jk_cp -v -j "/home/publicaccess" "/usr/local/bin/review_message.sh" + + +# Create necessary directories within the jail +mkdir -p "$USER_HOME/.ssh" +CLEAN_PUBKEY=$(python3 -c "import urllib.parse; print(urllib.parse.unquote_plus('$PUBKEY'))") + +echo "$CLEAN_PUBKEY" > "$USER_HOME/.ssh/authorized_keys" +chmod 700 "$USER_HOME/.ssh" +chmod 600 "$USER_HOME/.ssh/authorized_keys" +mkdir -p "$USER_HOME/tmp" # Create a /tmp directory +chmod 777 "$USER_HOME/tmp" # Set permissions for /tmp + +# Create a restricted .bash_profile +cat > "$RESTRICTED_PROFILE" <<EOL +# Restricted .bash_profile for $USERNAME + + +# Prevent the user from changing the PATH +readonly PATH +HOME="$HOME" + + +# Additional restrictions (optional, but recommended) +# Disallow variable assignment + set -o nounset + +# Disallow redirection (including <<, >, >>) + set -o no_redirection + +# You can add aliases for allowed commands here + +stty erase ^H + +# Prompts +PS1='(KILLSWITCH PUBLIC UNIX)$ ' + +#unset -f type +#unset -f hash +echo -e "`cat /usr/local/bin/motd.txt`" + +EOL + +# Set permissions (important for security) +chown -R root:root "$JAIL_DIR" +chmod -R 755 "$JAIL_DIR" +chmod 700 "$USER_HOME/.ssh" +chown "$USERNAME":"$USERNAME" "$USER_HOME" +chown "$USERNAME":"$USERNAME" "$USER_HOME/.ssh" +#chmod 644 "$RESTRICTED_PROFILE" # Make .bash_profile readable only by owner +sudo chown root:root "$RESTRICTED_PROFILE" + +# Create default www directory for web access +WWW_DIR="$USER_HOME/www" +mkdir -p "$WWW_DIR" +cat > "$WWW_DIR/index.html" <<EOF +<!DOCTYPE html> +<html> +<head> + <title>Welcome to Killswitch</title> + <meta charset="UTF-8"> +</head> +<body> + <h1>Hello from ~${USERNAME}</h1> + <p>This is your public web directory. Place your files here.</p> +</body> +</html> +EOF + +# Set permissions for web access +sudo chown -R "$USERNAME":"$USERNAME" "$USER_HOME" +chmod 755 "$WWW_DIR" +chmod 644 "$WWW_DIR/index.html" +chown -R "$USERNAME:$USERNAME" "$WWW_DIR" +sudo /home/ubuntu/setown.sh + + +if id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' created successfully." + exit 0 +else + echo "Error: User creation failed." >&2 + exit 1 +fi + +sudo /home/ubuntu/setown.sh |