commit 745eb0fbe58d4af0eacf2c672a28ca749c5ef291 Author: mikeconrad Date: Mon Sep 2 19:24:31 2024 -0400 Initial commit This is a fully working version of the script that creates chroot directory diff --git a/create_chroot_jail.sh b/create_chroot_jail.sh new file mode 100644 index 0000000..104addd --- /dev/null +++ b/create_chroot_jail.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env sh + +# This script is primarily designed to create a chroot jail to be used by an SSH user. +# My primary use case for this script is that I have a bastion server that I want users +# to be able to use for port forwarding to access a database behind a firewall. +# I want these users to have as little permissions as possible. This script has been tested +# on Ubuntu 22.02 + + +# Define a directory for our jail and a user. +JAIL_DIRECTORY=/BASTIONJAIL +JAIL_USER=bastionuser + +# Create the necessary directories. +sudo mkdir -p $JAIL_DIRECTORY/{etc,bin,lib64,lib/x86_64-linux-gnu,dev/urandom,dev/tty} +sudo cp /bin/bash $JAIL_DIRECTORY/bin +sudo cp /bin/sleep $JAIL_DIRECTORY/bin +sudo cp /bin/ssh $JAIL_DIRECTORY/bin +sudo cp /dev/null $JAIL_DIRECTORY/dev/ + +sudo chown $JAIL_USER:$JAIL_USER $JAIL_DIRECTORY/dev/null + +# Link our hosts file for any network needs. +sudo ln -s /etc/hosts $JAIL_DIRECTORY/etc/hosts + + +Copy_Dependencies(){ + # Get a list of libraries and parse out just the pathnames. + list="$(ldd "$1" | grep -E -o '/lib.*\.[0-9]')" + for i in $list; do cp -v "$i" "${JAIL_DIRECTORY}${i}"; done +} + +# These are the minimum requirements for setting up an SSH tunnel. +Copy_Dependencies "/bin/bash" +Copy_Dependencies "/bin/sleep" +Copy_Dependencies "/bin/ssh" + +# Now make sure that the user has an entry in /etc/passwd. +# Shell should be /bin/bash. + +# Add the following to /etc/sshd_config +# Match User batchtesting +# ChrootDirectory /BASTIONJAIL +# Banner none + +# Create special devices + +sudo mknod -m 666 $JAIL_DIRECTORY/null c 1 3 +sudo mknod -m 666 $JAIL_DIRECTORY/zero c 1 5 +sudo chown root:root $JAIL_DIRECTORY/null $JAIL_DIRECTORY/zero \ No newline at end of file