#!/bin/bash # Script to create a jailed user with restricted access # Variables USERNAME="$1" # Set the username from the first argument PUBKEY="$2" # Set the password from the second argument JAIL_DIR="/home/publicaccess" # Set the base jail directory BASH_PATH="/usr/sbin/jk_chrootsh" # Path to the bash shell USER_HOME="$JAIL_DIR/home/$USERNAME" # The user's home directory inside the jail RESTRICTED_PROFILE="$USER_HOME/.bash_profile" # Path to restricted profile # Check if Jailkit is installed if ! command -v jk_init >/dev/null 2>&1; then echo "Error: Jailkit is not installed. Please install Jailkit before running this script." echo "On Debian/Ubuntu systems, you can use: apt-get install jailkit" echo "On Red Hat/CentOS/Fedora systems, you might use: yum install jailkit" exit 1 fi # Create the jail directory # Check if the user already exists if id "$USERNAME" >/dev/null 2>&1; then echo "User '$USERNAME' already exists. Exiting." exit 1; fi # Create the user sudo useradd -d "/home/publicaccess/home/$USERNAME" -m "$USERNAME" -s /bin/bash # Set a password for the user echo "$USERNAME:acsg3Gzc0A!" | sudo chpasswd sudo passwd -u "$USERNAME" # Jailkit configuration echo "Creating the jail for $USERNAME..." sudo jk_jailuser -j /home/publicaccess "$USERNAME" # change line PASSWD PASSWD_FILE="/home/publicaccess/etc/passwd" # Make sure the username is passed in TEMP_FILE=$(mktemp) # Edit the passwd file awk -F: -v user="$USERNAME" '{ if ($1 == user) { $7 = "/usr/local/bin/review_message.sh" } print $0 }' OFS=":" "$PASSWD_FILE" > "$TEMP_FILE" # Replace original file sudo mv "$TEMP_FILE" "$PASSWD_FILE" echo "Updated shell for $USERNAME to /bin/bash" echo "PS1='(KILLSWITCH PUBLIC UNIX)$ '" >> "/home/publicaccess/home/$USERNAME/.bashrc" echo 'echo -e "`cat /usr/local/bin/motd.txt`"' >> "/home/publicaccess/home/$USERNAME/.bashrc" # Function to copy a file and create necessary directorie # # Function to copy libraries for a given binary - Removed # copy_libs() { # local BINARY="$1" # local LIBS_ARRAY # LIBS_ARRAY=($(ldd "$BINARY" | awk '/=>/ {print $3}') ) # # for LIB in "${LIBS_ARRAY[@]}"; do # if [ -n "$LIB" ] && [ -e "$LIB" ]; then # Check if the library exists # JAIL_LIB_PATH="${JAIL_DIR}${LIB#\/}" # copy_with_dirs "$LIB" "$JAIL_LIB_PATH" # elif [ -n "$LIB" ]; then # echo "Warning: Library $LIB not found, but is required by $BINARY" # fi # done # } # # Copy essential commands and their libraries - Removed # declare -a ESSENTIAL_BINS # # Check for existence in /bin and /usr/bin, use the correct path # if [ -e "/bin/ls" ]; then # ESSENTIAL_BINS+=("/bin/ls") # else # ESSENTIAL_BINS+=("/usr/bin/ls") # fi # if [ -e "/bin/pwd" ]; then # ESSENTIAL_BINS+=("/bin/pwd") # else # ESSENTIAL_BINS+=("/usr/bin/pwd") # fi # if [ -e "/bin/cat" ]; then # ESSENTIAL_BINS+=("/bin/cat") # else # ESSENTIAL_BINS+=("/usr/bin/cat") # fi # if [ -e "/bin/echo" ]; then # ESSENTIAL_BINS+=("/bin/echo") # else # ESSENTIAL_BINS+=("/usr/bin/echo") # fi # if [ -e "/bin/mkdir" ]; then # ESSENTIAL_BINS+=("/bin/mkdir") # else # ESSENTIAL_BINS+=("/usr/bin/mkdir") # fi # if [ -e "/bin/cd" ]; then # ESSENTIAL_BINS+=("/bin/cd") # else # ESSENTIAL_BINS+=("/usr/bin/cd") # fi # ESSENTIAL_BINS+=("/usr/bin/passwd") # /usr/bin/passwd is standard # if [ -e "/bin/bash" ]; then # ESSENTIAL_BINS+=("/bin/bash") # else # ESSENTIAL_BINS+=("/usr/bin/bash") # fi # # for BIN in "${ESSENTIAL_BINS[@]}"; do # jk_cp -v -j "$JAIL_DIR" "$BIN" # copy_libs "$BIN" # done jk_cp -v -j "/home/publicaccess" "/usr/bin/gcc" jk_cp -v -j "/home/publicaccess" "/usr/bin/g++" jk_cp -v -j "/home/publicaccess" "/usr/bin/make" jk_cp -v -j "/home/publicaccess" "/usr/sbin/jk_lsh" jk_cp -v -j "/home/publicaccess" "/usr/local/bin/review_message.sh" # Create necessary directories within the jail mkdir -p "$USER_HOME/.ssh" CLEAN_PUBKEY=$(python3 -c "import urllib.parse; print(urllib.parse.unquote_plus('$PUBKEY'))") echo "$CLEAN_PUBKEY" > "$USER_HOME/.ssh/authorized_keys" chmod 700 "$USER_HOME/.ssh" chmod 600 "$USER_HOME/.ssh/authorized_keys" mkdir -p "$USER_HOME/tmp" # Create a /tmp directory chmod 777 "$USER_HOME/tmp" # Set permissions for /tmp # Create a restricted .bash_profile cat > "$RESTRICTED_PROFILE" <, >>) set -o no_redirection # You can add aliases for allowed commands here stty erase ^H # Prompts PS1='(KILLSWITCH PUBLIC UNIX)$ ' #unset -f type #unset -f hash echo -e "`cat /usr/local/bin/motd.txt`" EOL # Set permissions (important for security) chown -R root:root "$JAIL_DIR" chmod -R 755 "$JAIL_DIR" chmod 700 "$USER_HOME/.ssh" chown "$USERNAME":"$USERNAME" "$USER_HOME" chown "$USERNAME":"$USERNAME" "$USER_HOME/.ssh" #chmod 644 "$RESTRICTED_PROFILE" # Make .bash_profile readable only by owner sudo chown root:root "$RESTRICTED_PROFILE" # Create default www directory for web access WWW_DIR="$USER_HOME/www" mkdir -p "$WWW_DIR" cat > "$WWW_DIR/index.html" < Welcome to Killswitch

Hello from ~${USERNAME}

This is your public web directory. Place your files here.

EOF # Set permissions for web access sudo chown -R "$USERNAME":"$USERNAME" "$USER_HOME" chmod 755 "$WWW_DIR" chmod 644 "$WWW_DIR/index.html" chown -R "$USERNAME:$USERNAME" "$WWW_DIR" sudo /home/ubuntu/setown.sh if id "$USERNAME" >/dev/null 2>&1; then echo "User '$USERNAME' created successfully." exit 0 else echo "Error: User creation failed." >&2 exit 1 fi sudo /home/ubuntu/setown.sh