#!/usr/bin/env sh

# This script is primarily designed to create a chroot jail to be used by an SSH user.
# My primary use case for this script is that I have a bastion server that I want users
# to be able to use for port forwarding to access a database behind a firewall.
# I want these users to have as little permissions as possible.  This script has been tested
# on Ubuntu 22.02


# Define a directory for our jail and a user.
JAIL_DIRECTORY=/BASTIONJAIL
JAIL_USER=bastionuser

# Create the necessary directories.
sudo mkdir -p $JAIL_DIRECTORY/{etc,bin,lib64,lib/x86_64-linux-gnu,dev/urandom,dev/tty}
sudo cp /bin/bash $JAIL_DIRECTORY/bin
sudo cp /bin/sleep $JAIL_DIRECTORY/bin
sudo cp /bin/ssh $JAIL_DIRECTORY/bin
sudo cp /dev/null $JAIL_DIRECTORY/dev/

sudo chown $JAIL_USER:$JAIL_USER $JAIL_DIRECTORY/dev/null 

# Link our hosts file for any network needs.
sudo ln -s /etc/hosts $JAIL_DIRECTORY/etc/hosts


Copy_Dependencies(){
  # Get a list of libraries and parse out just the pathnames.
  list="$(ldd "$1" | grep -E -o '/lib.*\.[0-9]')"
  for i in $list; do cp  -v "$i" "${JAIL_DIRECTORY}${i}"; done
}

# These are the minimum requirements for setting up an SSH tunnel.
Copy_Dependencies "/bin/bash"
Copy_Dependencies "/bin/sleep"
Copy_Dependencies "/bin/ssh"

# Now make sure that the user has an entry in /etc/passwd.
# Shell should be /bin/bash.

# Add the following to /etc/sshd_config
#   Match User batchtesting
#     ChrootDirectory /BASTIONJAIL
#     Banner none

# Create special devices

sudo mknod -m 666 $JAIL_DIRECTORY/null c 1 3
sudo mknod -m 666 $JAIL_DIRECTORY/zero c 1 5
sudo chown root:root $JAIL_DIRECTORY/null $JAIL_DIRECTORY/zero