path: root/bin/create_user.sh

#!/bin/bash
# Script to create a jailed user with restricted access

# Variables
USERNAME="$1"           # Set the username from the first argument
PUBKEY="$2"          # Set the password from the second argument
JAIL_DIR="/home/publicaccess"          # Set the base jail directory
BASH_PATH="/usr/sbin/jk_chrootsh"    # Path to the bash shell
USER_HOME="$JAIL_DIR/home/$USERNAME" # The user's home directory inside the jail
RESTRICTED_PROFILE="$USER_HOME/.bash_profile" # Path to restricted profile

# Check if Jailkit is installed
if ! command -v jk_init >/dev/null 2>&1; then
    echo "Error: Jailkit is not installed. Please install Jailkit before running this script."
    echo "On Debian/Ubuntu systems, you can use: apt-get install jailkit"
    echo "On Red Hat/CentOS/Fedora systems, you might use: yum install jailkit"
    exit 1
fi

# Create the jail directory

# Check if the user already exists
if id "$USERNAME" >/dev/null 2>&1; then
    echo "User '$USERNAME' already exists. Exiting."
    exit 1;
fi
# Create the user
sudo useradd -d "/home/publicaccess/home/$USERNAME" -m "$USERNAME" -s /bin/bash
# Set a password for the user
echo "$USERNAME:acsg3Gzc0A!" | sudo chpasswd
sudo passwd -u "$USERNAME"

# Jailkit configuration
echo "Creating the jail for $USERNAME..."
sudo jk_jailuser -j /home/publicaccess "$USERNAME"
# change line PASSWD
PASSWD_FILE="/home/publicaccess/etc/passwd"

# Make sure the username is passed in
TEMP_FILE=$(mktemp)

# Edit the passwd file
awk -F: -v user="$USERNAME" '{
    if ($1 == user) {
        $7 = "/usr/local/bin/review_message.sh"
    }
    print $0
}' OFS=":" "$PASSWD_FILE" > "$TEMP_FILE"

# Replace original file
sudo mv "$TEMP_FILE" "$PASSWD_FILE"
echo "Updated shell for $USERNAME to /bin/bash"
echo "PS1='(KILLSWITCH PUBLIC UNIX)$ '" >> "/home/publicaccess/home/$USERNAME/.bashrc"
echo 'echo -e "`cat /usr/local/bin/motd.txt`"' >> "/home/publicaccess/home/$USERNAME/.bashrc"

# Function to copy a file and create necessary directorie

# # Function to copy libraries for a given binary - Removed
# copy_libs() {
#     local BINARY="$1"
#     local LIBS_ARRAY
#     LIBS_ARRAY=($(ldd "$BINARY" | awk '/=>/ {print $3}') )
#
#     for LIB in "${LIBS_ARRAY[@]}"; do
#         if [ -n "$LIB" ] && [ -e "$LIB" ]; then  # Check if the library exists
#             JAIL_LIB_PATH="${JAIL_DIR}${LIB#\/}"
#             copy_with_dirs "$LIB" "$JAIL_LIB_PATH"
#         elif [ -n "$LIB" ]; then
#             echo "Warning: Library $LIB not found, but is required by $BINARY"
#         fi
#     done
# }

# # Copy essential commands and their libraries - Removed
# declare -a ESSENTIAL_BINS
# # Check for existence in /bin and /usr/bin, use the correct path
# if [ -e "/bin/ls" ]; then
#   ESSENTIAL_BINS+=("/bin/ls")
# else
#   ESSENTIAL_BINS+=("/usr/bin/ls")
# fi
# if [ -e "/bin/pwd" ]; then
#   ESSENTIAL_BINS+=("/bin/pwd")
# else
#   ESSENTIAL_BINS+=("/usr/bin/pwd")
# fi
# if [ -e "/bin/cat" ]; then
#   ESSENTIAL_BINS+=("/bin/cat")
# else
#   ESSENTIAL_BINS+=("/usr/bin/cat")
# fi
# if [ -e "/bin/echo" ]; then
#   ESSENTIAL_BINS+=("/bin/echo")
# else
#   ESSENTIAL_BINS+=("/usr/bin/echo")
# fi
# if [ -e "/bin/mkdir" ]; then
#   ESSENTIAL_BINS+=("/bin/mkdir")
# else
#   ESSENTIAL_BINS+=("/usr/bin/mkdir")
# fi
# if [ -e "/bin/cd" ]; then
#   ESSENTIAL_BINS+=("/bin/cd")
# else
#   ESSENTIAL_BINS+=("/usr/bin/cd")
# fi
# ESSENTIAL_BINS+=("/usr/bin/passwd")  # /usr/bin/passwd is standard
# if [ -e "/bin/bash" ]; then
#   ESSENTIAL_BINS+=("/bin/bash")
# else
#   ESSENTIAL_BINS+=("/usr/bin/bash")
# fi
#
# for BIN in "${ESSENTIAL_BINS[@]}"; do
#     jk_cp -v -j "$JAIL_DIR" "$BIN"
#     copy_libs "$BIN"
# done
jk_cp -v -j "/home/publicaccess" "/usr/bin/gcc"
jk_cp -v -j "/home/publicaccess" "/usr/bin/g++"
jk_cp -v -j "/home/publicaccess" "/usr/bin/make"
jk_cp -v -j "/home/publicaccess" "/usr/sbin/jk_lsh"
jk_cp -v -j "/home/publicaccess" "/usr/local/bin/review_message.sh"


# Create necessary directories within the jail
mkdir -p "$USER_HOME/.ssh"
CLEAN_PUBKEY=$(python3 -c "import urllib.parse; print(urllib.parse.unquote_plus('$PUBKEY'))")

echo "$CLEAN_PUBKEY" > "$USER_HOME/.ssh/authorized_keys"
chmod 700 "$USER_HOME/.ssh"
chmod 600 "$USER_HOME/.ssh/authorized_keys"
mkdir -p "$USER_HOME/tmp" # Create a /tmp directory
chmod 777 "$USER_HOME/tmp" # Set permissions for /tmp

# Create a restricted .bash_profile
cat > "$RESTRICTED_PROFILE" <<EOL
# Restricted .bash_profile for $USERNAME


# Prevent the user from changing the PATH
readonly PATH
HOME="$HOME"


# Additional restrictions (optional, but recommended)
# Disallow variable assignment
 set -o nounset

# Disallow redirection (including <<, >, >>)
 set -o no_redirection

# You can add aliases for allowed commands here

stty erase ^H

# Prompts
PS1='(KILLSWITCH PUBLIC UNIX)$ '

#unset -f type
#unset -f hash
echo -e "`cat /usr/local/bin/motd.txt`"

EOL

# Set permissions (important for security)
chown -R root:root "$JAIL_DIR"
chmod -R 755 "$JAIL_DIR"
chmod 700 "$USER_HOME/.ssh"
chown "$USERNAME":"$USERNAME" "$USER_HOME"
chown "$USERNAME":"$USERNAME" "$USER_HOME/.ssh"
#chmod 644 "$RESTRICTED_PROFILE" # Make .bash_profile readable only by owner
sudo chown root:root "$RESTRICTED_PROFILE"

# Create default www directory for web access
WWW_DIR="$USER_HOME/www"
mkdir -p "$WWW_DIR"
cat > "$WWW_DIR/index.html" <<EOF
<!DOCTYPE html>
<html>
<head>
    <title>Welcome to Killswitch</title>
    <meta charset="UTF-8">
</head>
<body>
    <h1>Hello from ~${USERNAME}</h1>
    <p>This is your public web directory. Place your files here.</p>
</body>
</html>
EOF

# Set permissions for web access
sudo chown -R "$USERNAME":"$USERNAME" "$USER_HOME"
chmod 755 "$WWW_DIR"
chmod 644 "$WWW_DIR/index.html"
chown -R "$USERNAME:$USERNAME" "$WWW_DIR"
sudo /home/ubuntu/setown.sh


if id "$USERNAME" >/dev/null 2>&1; then
    echo "User '$USERNAME' created successfully."
    exit 0
else
    echo "Error: User creation failed." >&2
    exit 1
fi

sudo /home/ubuntu/setown.sh