From dd55f98281c1c0c28a5f8df3c87031bc84dd450d Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Thu, 26 Jun 2025 00:23:53 +0000 Subject: custom scripts used to manage the public access system --- bin/create_user.sh | 207 +++++++++++++++++++++++++++++++++++++++++++++++++ bin/review_message.sh | 5 ++ bin/sync-cgit-repos.sh | 23 ++++++ deleteuser.sh | 40 ++++++++++ setown.sh | 120 ++++++++++++++++++++++++++++ validate.sh | 16 ++++ www/create_user.c | 106 +++++++++++++++++++++++++ 7 files changed, 517 insertions(+) create mode 100755 bin/create_user.sh create mode 100755 bin/review_message.sh create mode 100755 bin/sync-cgit-repos.sh create mode 100755 deleteuser.sh create mode 100755 setown.sh create mode 100755 validate.sh create mode 100644 www/create_user.c diff --git a/bin/create_user.sh b/bin/create_user.sh new file mode 100755 index 0000000..9685a3d --- /dev/null +++ b/bin/create_user.sh @@ -0,0 +1,207 @@ +#!/bin/bash +# Script to create a jailed user with restricted access + +# Variables +USERNAME="$1" # Set the username from the first argument +PUBKEY="$2" # Set the password from the second argument +JAIL_DIR="/home/publicaccess" # Set the base jail directory +BASH_PATH="/usr/sbin/jk_chrootsh" # Path to the bash shell +USER_HOME="$JAIL_DIR/home/$USERNAME" # The user's home directory inside the jail +RESTRICTED_PROFILE="$USER_HOME/.bash_profile" # Path to restricted profile + +# Check if Jailkit is installed +if ! command -v jk_init >/dev/null 2>&1; then + echo "Error: Jailkit is not installed. Please install Jailkit before running this script." + echo "On Debian/Ubuntu systems, you can use: apt-get install jailkit" + echo "On Red Hat/CentOS/Fedora systems, you might use: yum install jailkit" + exit 1 +fi + +# Create the jail directory + +# Check if the user already exists +if id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' already exists. Exiting." + exit 1; +fi +# Create the user +sudo useradd -d "/home/publicaccess/home/$USERNAME" -m "$USERNAME" -s /bin/bash +# Set a password for the user +echo "$USERNAME:acsg3Gzc0A!" | sudo chpasswd +sudo passwd -u "$USERNAME" + +# Jailkit configuration +echo "Creating the jail for $USERNAME..." +sudo jk_jailuser -j /home/publicaccess "$USERNAME" +# change line PASSWD +PASSWD_FILE="/home/publicaccess/etc/passwd" + +# Make sure the username is passed in +TEMP_FILE=$(mktemp) + +# Edit the passwd file +awk -F: -v user="$USERNAME" '{ + if ($1 == user) { + $7 = "/usr/local/bin/review_message.sh" + } + print $0 +}' OFS=":" "$PASSWD_FILE" > "$TEMP_FILE" + +# Replace original file +sudo mv "$TEMP_FILE" "$PASSWD_FILE" +echo "Updated shell for $USERNAME to /bin/bash" +echo "PS1='(KILLSWITCH PUBLIC UNIX)$ '" >> "/home/publicaccess/home/$USERNAME/.bashrc" +echo 'echo -e "`cat /usr/local/bin/motd.txt`"' >> "/home/publicaccess/home/$USERNAME/.bashrc" + +# Function to copy a file and create necessary directorie + +# # Function to copy libraries for a given binary - Removed +# copy_libs() { +# local BINARY="$1" +# local LIBS_ARRAY +# LIBS_ARRAY=($(ldd "$BINARY" | awk '/=>/ {print $3}') ) +# +# for LIB in "${LIBS_ARRAY[@]}"; do +# if [ -n "$LIB" ] && [ -e "$LIB" ]; then # Check if the library exists +# JAIL_LIB_PATH="${JAIL_DIR}${LIB#\/}" +# copy_with_dirs "$LIB" "$JAIL_LIB_PATH" +# elif [ -n "$LIB" ]; then +# echo "Warning: Library $LIB not found, but is required by $BINARY" +# fi +# done +# } + +# # Copy essential commands and their libraries - Removed +# declare -a ESSENTIAL_BINS +# # Check for existence in /bin and /usr/bin, use the correct path +# if [ -e "/bin/ls" ]; then +# ESSENTIAL_BINS+=("/bin/ls") +# else +# ESSENTIAL_BINS+=("/usr/bin/ls") +# fi +# if [ -e "/bin/pwd" ]; then +# ESSENTIAL_BINS+=("/bin/pwd") +# else +# ESSENTIAL_BINS+=("/usr/bin/pwd") +# fi +# if [ -e "/bin/cat" ]; then +# ESSENTIAL_BINS+=("/bin/cat") +# else +# ESSENTIAL_BINS+=("/usr/bin/cat") +# fi +# if [ -e "/bin/echo" ]; then +# ESSENTIAL_BINS+=("/bin/echo") +# else +# ESSENTIAL_BINS+=("/usr/bin/echo") +# fi +# if [ -e "/bin/mkdir" ]; then +# ESSENTIAL_BINS+=("/bin/mkdir") +# else +# ESSENTIAL_BINS+=("/usr/bin/mkdir") +# fi +# if [ -e "/bin/cd" ]; then +# ESSENTIAL_BINS+=("/bin/cd") +# else +# ESSENTIAL_BINS+=("/usr/bin/cd") +# fi +# ESSENTIAL_BINS+=("/usr/bin/passwd") # /usr/bin/passwd is standard +# if [ -e "/bin/bash" ]; then +# ESSENTIAL_BINS+=("/bin/bash") +# else +# ESSENTIAL_BINS+=("/usr/bin/bash") +# fi +# +# for BIN in "${ESSENTIAL_BINS[@]}"; do +# jk_cp -v -j "$JAIL_DIR" "$BIN" +# copy_libs "$BIN" +# done +jk_cp -v -j "/home/publicaccess" "/usr/bin/gcc" +jk_cp -v -j "/home/publicaccess" "/usr/bin/g++" +jk_cp -v -j "/home/publicaccess" "/usr/bin/make" +jk_cp -v -j "/home/publicaccess" "/usr/sbin/jk_lsh" +jk_cp -v -j "/home/publicaccess" "/usr/local/bin/review_message.sh" + + +# Create necessary directories within the jail +mkdir -p "$USER_HOME/.ssh" +CLEAN_PUBKEY=$(python3 -c "import urllib.parse; print(urllib.parse.unquote_plus('$PUBKEY'))") + +echo "$CLEAN_PUBKEY" > "$USER_HOME/.ssh/authorized_keys" +chmod 700 "$USER_HOME/.ssh" +chmod 600 "$USER_HOME/.ssh/authorized_keys" +mkdir -p "$USER_HOME/tmp" # Create a /tmp directory +chmod 777 "$USER_HOME/tmp" # Set permissions for /tmp + +# Create a restricted .bash_profile +cat > "$RESTRICTED_PROFILE" <, >>) + set -o no_redirection + +# You can add aliases for allowed commands here + +stty erase ^H + +# Prompts +PS1='(KILLSWITCH PUBLIC UNIX)$ ' + +#unset -f type +#unset -f hash +echo -e "`cat /usr/local/bin/motd.txt`" + +EOL + +# Set permissions (important for security) +chown -R root:root "$JAIL_DIR" +chmod -R 755 "$JAIL_DIR" +chmod 700 "$USER_HOME/.ssh" +chown "$USERNAME":"$USERNAME" "$USER_HOME" +chown "$USERNAME":"$USERNAME" "$USER_HOME/.ssh" +#chmod 644 "$RESTRICTED_PROFILE" # Make .bash_profile readable only by owner +sudo chown root:root "$RESTRICTED_PROFILE" + +# Create default www directory for web access +WWW_DIR="$USER_HOME/www" +mkdir -p "$WWW_DIR" +cat > "$WWW_DIR/index.html" < + + + Welcome to Killswitch + + + +

Hello from ~${USERNAME}

+

This is your public web directory. Place your files here.

+ + +EOF + +# Set permissions for web access +sudo chown -R "$USERNAME":"$USERNAME" "$USER_HOME" +chmod 755 "$WWW_DIR" +chmod 644 "$WWW_DIR/index.html" +chown -R "$USERNAME:$USERNAME" "$WWW_DIR" +sudo /home/ubuntu/setown.sh + + +if id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' created successfully." + exit 0 +else + echo "Error: User creation failed." >&2 + exit 1 +fi + +sudo /home/ubuntu/setown.sh diff --git a/bin/review_message.sh b/bin/review_message.sh new file mode 100755 index 0000000..97f52a7 --- /dev/null +++ b/bin/review_message.sh @@ -0,0 +1,5 @@ +#!/bin/bash +echo "Your account is under review." +echo "Approval usually takes up to 24 hours." +echo "If you have questions, contact: blackburnarson@netzero.net" +exit 1 diff --git a/bin/sync-cgit-repos.sh b/bin/sync-cgit-repos.sh new file mode 100755 index 0000000..007d2c7 --- /dev/null +++ b/bin/sync-cgit-repos.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +BASE_HOME="/home/publicaccess/home" +CGIT_DIR="/srv/git/listed" + +mkdir -p "$CGIT_DIR" + +for user_dir in "$BASE_HOME"/*; do + [ -d "$user_dir/git/listed" ] || continue + username=$(basename "$user_dir") + + for repo in "$user_dir/git/listed/"*.git; do + [ -d "$repo" ] || continue + reponame=$(basename "$repo") + mount_point="${CGIT_DIR}/${username}-${reponame}" + + # Create the mount point directory if it doesn't exist + mkdir -p "$mount_point" + + # Bind mount the repo to the cgit directory + mountpoint -q "$mount_point" || mount --bind "$repo" "$mount_point" + done +done diff --git a/deleteuser.sh b/deleteuser.sh new file mode 100755 index 0000000..d4a3841 --- /dev/null +++ b/deleteuser.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +# Check if username is provided +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +USERNAME="$1" +JAIL_DIR="/home/publicaccess" +USER_HOME="$JAIL_DIR/home/$USERNAME" +PASSWD_FILE="$JAIL_DIR/etc/passwd" + +# Check if the user exists on the system +if ! id "$USERNAME" >/dev/null 2>&1; then + echo "User '$USERNAME' does not exist on the host system." +else + echo "Removing user '$USERNAME' from the system..." + sudo userdel -r "$USERNAME" +fi + +# Remove user from jail passwd file if present +if [ -f "$PASSWD_FILE" ]; then + sudo sed -i "/^$USERNAME:/d" "$PASSWD_FILE" +fi + +# Delete the user's jailed home directory +if [ -d "$USER_HOME" ]; then + echo "Deleting jailed home directory: $USER_HOME" + sudo rm -rf "$USER_HOME" +fi + +# Remove from group file if applicable +GROUP_FILE="$JAIL_DIR/etc/group" +if [ -f "$GROUP_FILE" ]; then + sudo sed -i "/^$USERNAME:/d" "$GROUP_FILE" +fi + +echo "User '$USERNAME' deleted from system and jail (if present)." +exit 0 diff --git a/setown.sh b/setown.sh new file mode 100755 index 0000000..062cc17 --- /dev/null +++ b/setown.sh @@ -0,0 +1,120 @@ +#!/bin/bash + +# Set the base directory +BASE_DIR="/home/publicaccess/home" + +# Iterate over each directory inside /home/publicaccess/home/ +for dir in "$BASE_DIR"/*/; do + # Check if it's a directory + if [ -d "$dir" ]; then + # Extract the directory name (username) + cp motd.txt "$dir"/motd.txt + + username=$(basename "$dir") + setfacl -m mask::rwx "$dir" + + # Apply chmod 700 to the user's home directory to keep it secure + chown "$username:$username" "$dir"/motd.txt + + # Set ownership of the home directory to the user + chown "$username:$username" "$dir" + # Set permissions so SSH can enter the dir, but no one else can list + setfacl -m u:"$username":rwx "$dir" + # Block access to this dir from all other users + for otherdir in "$BASE_DIR"/*; do + otheruser=$(basename "$otherdir") + if [ "$otheruser" != "$username" ]; then + setfacl -m u:$otheruser:0 "$dir" + fi + + done + + # Create or overwrite the .bashrc with environment restrictions + cat << 'EOF' > "$dir/.bashrc" +# Restricted shell environment + +# Set and lock important variables +export PATH="/bin:/usr/bin:/safecommands" +export HOME="$HOME" +export SHELL="/bin/bash" +export TERM="xterm-256color" + +readonly PATH +readonly HOME +readonly SHELL +readonly TERM + +# Disable export and unset commands +export() { + echo "export: Command not allowed." +} + +unset() { + echo "unset: Command not allowed." +} + +# Disable direct use of 'git' +git() { + echo "Direct use of 'git' is disabled. Use the git-init-h tool." +} + +# Set noclobber option to prevent overwriting files +set -o noclobber +PS1='(KILLSWITCH PUBLIC ACCESS)$ ' +echo -e "`cat motd.txt`" + +# Welcome message +echo "Welcome UUSER." + +EOF + + # Create or overwrite the .bash_profile to source .bashrc + cat << 'EOF' > "$dir/.bash_profile" +# Source the restricted .bashrc if it exists +if [ -f ~/.bashrc ]; then + . ~/.bashrc +fi + +PS1='(KILLSWITCH PUBLIC UNIX)$ ' +echo -e "`cat motd.txt`" +EOF + + # Set permissions: .bashrc and .bash_profile readable but NOT writable by user + chmod 755 "$dir/.bashrc" + chmod 755 "$dir/.bash_profile" + + # Set ownership of .bashrc and .bash_profile to root:root + sudo chown root:root "$dir/.bashrc" + sudo chown root:root "$dir/.bash_profile" + + # Set the permissions on the user's git directory so it's readable by everyone + git_dir="$dir/git" + sudo mkdir -p "$git_dir/listed" + # Ensure that the git directory exists + if [ -d "$git_dir" ]; then + # Set the permissions so the git directory is readable by everyone, but only writable by the owner + sudo chmod -R 755 "$git_dir" + sudo chown -R "$username:$username" "$git_dir" + fi + + echo "Configured restricted shell for $username in $dir" + fi + + sudo chown -R "$username":"$username" "$dir/.ssh" + chmod 701 "$dir" + chmod 600 /home/publicaccess/home/"$username"/.ssh/authorized_keys + chmod 700 /home/publicaccess/home/"$username"/.ssh + setfacl -m g::r-x "$dir" + + setfacl -m mask::r-x "$dir" + +done +setfacl -m g::r-x "/home/publicaccess/home" +setfacl -m g::r-x "/home/publiccaccess" +# Set the permissions for the shared git folder +sudo chown root:root /srv/git/listed +sudo chmod 755 /srv/git/listed +sudo setfacl -R -m u:www-data:rx /srv/git/listed + +echo "Completed applying permissions, ownership, and restrictions to all directories inside $BASE_DIR." + diff --git a/validate.sh b/validate.sh new file mode 100755 index 0000000..a421a6a --- /dev/null +++ b/validate.sh @@ -0,0 +1,16 @@ +#!/bin/bash +USERNAME="$1" +JAIL_PASSWD="/home/publicaccess/etc/passwd" + +# Change shell back to bash in jail +awk -F: -v user="$USERNAME" '{ + if ($1 == user) { + $7 = "/bin/bash" + } + print $0 +}' OFS=":" "$JAIL_PASSWD" > /tmp/passwd.tmp && sudo mv /tmp/passwd.tmp "$JAIL_PASSWD" + +# Unlock the user +usermod -U "$USERNAME" +echo "User $USERNAME approved and unlocked." + diff --git a/www/create_user.c b/www/create_user.c new file mode 100644 index 0000000..19768fc --- /dev/null +++ b/www/create_user.c @@ -0,0 +1,106 @@ +#include +#include +#include + +#define MAX_INPUT 4000 +// Function to parse POST data +void parse_post(char* data, char* username, char* password) { + sscanf(data, "username=%[^&]&password=%s", username, password); +} +void mask_password(char *src, char *dest) { + size_t len = strlen(src); + for (size_t i = 0; i < len; i++) { + dest[i] = '*'; + } + dest[len] = '\0'; +} + +int main() { + printf("Content-type: text/html\n\n"); +printf("\n"); +printf("\n"); +printf("\n"); +printf("KILLSWITCH PUBLIC ACCESS\n"); +printf("\n"); +printf("\n"); +printf("\n"); +printf("\n"); +printf("\n"); +printf("
\n"); +printf("
\n"); +printf("   

\n"); +printf("
\n"); +printf("
\n"); +printf("
\n"); +printf("\n"); +printf("
\n"); +printf("\n"); +printf("KILLSWITCH PUBLIC ACCESS SYSTEM

\n"); +printf("\n"); +printf("\n"); +printf("
\n "); + + char *content_length = getenv("CONTENT_LENGTH"); + int len = content_length ? atoi(content_length) : 0; + + char post_data[MAX_INPUT] = {0}; + fread(post_data, 1, len, stdin); + char username[64] = {0}, password[3000] = {0}; + parse_post(post_data, username, password); + + + if (strlen(username) == 0 || strlen(password) == 0) { + printf("

Invalid username or password.

"); + + return 1; + } + + // Call external shell script to create jailed user + char cmd[MAX_INPUT]; + snprintf(cmd, sizeof(cmd), "sudo /usr/local/bin/create_user.sh '%s' '%s' > /tmp/create_user_log.txt 2>&1", username, password); + int result = system(cmd); + if (WIFEXITED(result) && WEXITSTATUS(result) == 0) { + char masked[64]; + mask_password(password, masked); + printf("

Account Created Successfully

\n"); + printf("

Username: %s

\n", username); + printf("

Password: %s

\n", masked); + } else { + printf("

Failure

Could not create user. Exit code: %d

", WEXITSTATUS(result)); + } + + return 0; +} -- cgit v1.2.3