#!/bin/ksh # script: jail.ksh # version: 1.0 # date: 9/27/2002 # author: Kent Cowgill # # Description: # This script sets up a minimal jail for chrooted users for ssh and sftp. # Minimal error checking is performed - Most errors are harmless: Adding # existing groups, creating existing directories, etc. Please modify # the JAILUSER and JAILGROUP variables in the script according to your # specific needs and requirements. # # Disclaimer: Use this script at your own risk. I cannot ensure that it # will perform exactly as described on your system. By using this script, # you acknowledge that you have read and understand all the commands contained # herein, and waive any claim against Kent Cowgill for any harm to your system. # # (c) 2002 Kent Cowgill. Permission to modify and distribute is # granted on condition the copyright message is included and modifications # are clearly identified. # # For suggestions, additions, and corrections, I thank Alex Kramarov, Steven # M. Christianson, james@firstaidmusic, Gabriele Facciolo, Eileen Coles, Hugh # McLenagh, and Walter G. Aiello. # # For changes, suggestions, corrections, enhancements, comments, or criticisms, # email kent@c2group.net # CHANGE THESE! JAILUSER=jailuser JAILGROUP=jailgroup /usr/sbin/groupadd $JAILGROUP mkdir /export/home/jail chown root:$JAILGROUP /export/home/jail chmod 750 /export/home/jail /usr/sbin/useradd -g $JAILGROUP -c "Jail user $JAILUSER" \ -d /export/home/jail/$JAILUSER/./home/$JAILUSER -s /bin/sh $JAILUSER mkdir /export/home/jail/$JAILUSER chown $JAILUSER:$JAILGROUP /export/home/jail/$JAILUSER cd /export/home/jail/$JAILUSER mkdir etc mkdir bin mkdir usr mkdir usr/bin mkdir usr/local mkdir usr/local/bin mkdir usr/local/libexec mkdir usr/local/sbin mkdir usr/local/lib mkdir usr/local/ssl mkdir usr/local/ssl/lib mkdir usr/lib mkdir usr/platform mkdir usr/platform/`uname -i` mkdir usr/platform/`uname -i`/lib mkdir dev mkdir devices mkdir devices/pseudo mkdir home cd /export/home/jail/$JAILUSER APPS='bin/cp bin/ls bin/mkdir bin/mv bin/pwd bin/rm bin/rmdir bin/sh' for i in $APPS; do cp /$i ./$i LIBS=`ldd ./$i | awk '{print $3}'` for l in $LIBS; do if [[ ! -d ./`dirname $l` ]]; then mkdir ./`dirname $l` > /dev/null fi cp $l .$l done done cd /export/home/jail/$JAILUSER/devices/pseudo mknod mm@0:zero c 13 12 mknod mm@0:null c 13 2 cd /export/home/jail/$JAILUSER/dev ln -s ../devices/psuedo/mm@0:zero zero ln -s ../devices/pseudo/mm@0:null null cd /export/home/jail/$JAILUSER BINS="usr/local/bin/ssh usr/local/libexec/sftp-server usr/local/sbin/sshd usr/local/lib/libz.so usr/local/ssl/lib/libcrypto.so.0.9.6 usr/lib/ld.so.1 usr/platform/`uname -i`/lib/libc_psr.so.1 usr/lib/nss_files.so.1" for i in $BINS; do cp /$i ./$i done mkdir /export/home/jail/$JAILUSER/home/$JAILUSER chown $JAILUSER:$JAILGROUP /export/home/jail/$JAILUSER/home/$JAILUSER touch /export/home/jail/$JAILUSER/etc/passwd touch /export/home/jail/$JAILUSER/etc/group echo "$JAILUSER:x:`/usr/xpg4/bin/id -u $JAILUSER`:`/usr/xpg4/bin/id -g $JAILGROUP`::/home/$JAILUSER:/bin/sh" > \ /export/home/jail/$JAILUSER/etc/passwd echo "$JAILGROUP::`/usr/xpg4/bin/id -g $JAILUSER`:$JAILUSER" > \ /export/home/jail/$JAILUSER/etc/group echo "done!"