blob: 062cc1758b0d36a8f770b6410ff1566d07294a55 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
#!/bin/bash
# Set the base directory
BASE_DIR="/home/publicaccess/home"
# Iterate over each directory inside /home/publicaccess/home/
for dir in "$BASE_DIR"/*/; do
# Check if it's a directory
if [ -d "$dir" ]; then
# Extract the directory name (username)
cp motd.txt "$dir"/motd.txt
username=$(basename "$dir")
setfacl -m mask::rwx "$dir"
# Apply chmod 700 to the user's home directory to keep it secure
chown "$username:$username" "$dir"/motd.txt
# Set ownership of the home directory to the user
chown "$username:$username" "$dir"
# Set permissions so SSH can enter the dir, but no one else can list
setfacl -m u:"$username":rwx "$dir"
# Block access to this dir from all other users
for otherdir in "$BASE_DIR"/*; do
otheruser=$(basename "$otherdir")
if [ "$otheruser" != "$username" ]; then
setfacl -m u:$otheruser:0 "$dir"
fi
done
# Create or overwrite the .bashrc with environment restrictions
cat << 'EOF' > "$dir/.bashrc"
# Restricted shell environment
# Set and lock important variables
export PATH="/bin:/usr/bin:/safecommands"
export HOME="$HOME"
export SHELL="/bin/bash"
export TERM="xterm-256color"
readonly PATH
readonly HOME
readonly SHELL
readonly TERM
# Disable export and unset commands
export() {
echo "export: Command not allowed."
}
unset() {
echo "unset: Command not allowed."
}
# Disable direct use of 'git'
git() {
echo "Direct use of 'git' is disabled. Use the git-init-h tool."
}
# Set noclobber option to prevent overwriting files
set -o noclobber
PS1='(KILLSWITCH PUBLIC ACCESS)$ '
echo -e "`cat motd.txt`"
# Welcome message
echo "Welcome UUSER."
EOF
# Create or overwrite the .bash_profile to source .bashrc
cat << 'EOF' > "$dir/.bash_profile"
# Source the restricted .bashrc if it exists
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
PS1='(KILLSWITCH PUBLIC UNIX)$ '
echo -e "`cat motd.txt`"
EOF
# Set permissions: .bashrc and .bash_profile readable but NOT writable by user
chmod 755 "$dir/.bashrc"
chmod 755 "$dir/.bash_profile"
# Set ownership of .bashrc and .bash_profile to root:root
sudo chown root:root "$dir/.bashrc"
sudo chown root:root "$dir/.bash_profile"
# Set the permissions on the user's git directory so it's readable by everyone
git_dir="$dir/git"
sudo mkdir -p "$git_dir/listed"
# Ensure that the git directory exists
if [ -d "$git_dir" ]; then
# Set the permissions so the git directory is readable by everyone, but only writable by the owner
sudo chmod -R 755 "$git_dir"
sudo chown -R "$username:$username" "$git_dir"
fi
echo "Configured restricted shell for $username in $dir"
fi
sudo chown -R "$username":"$username" "$dir/.ssh"
chmod 701 "$dir"
chmod 600 /home/publicaccess/home/"$username"/.ssh/authorized_keys
chmod 700 /home/publicaccess/home/"$username"/.ssh
setfacl -m g::r-x "$dir"
setfacl -m mask::r-x "$dir"
done
setfacl -m g::r-x "/home/publicaccess/home"
setfacl -m g::r-x "/home/publiccaccess"
# Set the permissions for the shared git folder
sudo chown root:root /srv/git/listed
sudo chmod 755 /srv/git/listed
sudo setfacl -R -m u:www-data:rx /srv/git/listed
echo "Completed applying permissions, ownership, and restrictions to all directories inside $BASE_DIR."
|
