forked from hestiacp/hestiacp
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathv-add-sys-ssh-jail
More file actions
executable file
·130 lines (106 loc) · 3.66 KB
/
v-add-sys-ssh-jail
File metadata and controls
executable file
·130 lines (106 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
# info: add system ssh jail
# options: [RESTART]
#
# example: v-add-sys-ssh-jail yes
#
# This function enables ssh jailed environment.
#----------------------------------------------------------#
# Variables & Functions #
#----------------------------------------------------------#
# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"
restart=$1
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
# Checking if jailkit is installed
if [ ! -x /sbin/jk_init ]; then
exit
fi
# Checking if bubblewrap is installed
if [ ! -x /bin/bwrap ]; then
exit
fi
# Perform verification if read-only mode is enabled
check_hestia_demo_mode
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Move jailbash to /usr/sbin
if [ ! -x /usr/sbin/jailbash ]; then
cp -f $HESTIA_COMMON_DIR/bubblewrap/jailbash /usr/sbin/jailbash
cp -f $HESTIA_COMMON_DIR/bubblewrap/bwrap-userns-restrict /etc/apparmor.d/bwrap-userns-restrict
chmod +x /usr/sbin/jailbash
service apparmor reload > /dev/null 2>&1
fi
# Register /usr/sbin/jailbash
if [ -z "$(grep ^/usr/sbin/jailbash /etc/shells)" ]; then
echo "/usr/sbin/jailbash" >> /etc/shells
fi
# Checking sshd directives
config='/etc/ssh/sshd_config'
ssh_i=$(grep -n "^# Hestia SSH Chroot" $config)
# Enabling jailed ssh
if [ -z "$ssh_i" ]; then
echo " " >> $config
echo "# Hestia SSH Chroot" >> $config
echo "Match Group ssh-jailed" >> $config
echo " ChrootDirectory /srv/jail/%u" >> $config
echo " X11Forwarding no" >> $config
echo " AllowTCPForwarding no" >> $config
restart='yes'
fi
# Validating opensshd config
if [ "$restart" = 'yes' ]; then
subj="OpenSSH restart failed"
email=$(grep CONTACT "$HESTIA/data/users/$ROOT_USER/user.conf" | cut -f 2 -d \')
/usr/sbin/sshd -t > /dev/null 2>&1
if [ "$?" -ne 0 ]; then
mail_text="OpenSSH can not be restarted. Please check config:
\n\n$(/usr/sbin/sshd -t)"
echo -e "$mail_text" | $SENDMAIL -s "$subj" $email
else
service sshd restart > /dev/null 2>&1
fi
fi
# Adding group
groupadd ssh-jailed 2> /dev/null
# Checking jailkit init
jk_init='/etc/jailkit/jk_init.ini'
jk_php_i=$(grep -n "^# Hestia Jail Settings" $jk_init)
# Add PHP to jailkit init to allow usage of it within jail
if [ -z "$jk_php_i" ]; then
cp -f $HESTIA_COMMON_DIR/jailkit/jk_init.ini /etc/jailkit
fi
# Restart ssh service
if [ "$restart" = 'no' ]; then
# Skip restart of SSH daemon
echo "" > /dev/null 2>&1
else
service ssh restart > /dev/null 2>&1
fi
# Jails need maintenance to update the binaries within the jail. To do so we just reset the chroot
# and reapply the jail
for user in $("$BIN/v-list-users" list); do
check_jail_enabled=$(grep "SHELL_JAIL_ENABLED='yes'" $HESTIA/data/users/$user/user.conf)
# If jail enabled try to jail the user
if [ -n "$check_jail_enabled" ]; then
$BIN/v-add-user-ssh-jail "$user" "no"
fi
done
# Add v-add-sys-ssh-jail to startup
if [ ! -e "/etc/cron.d/hestia-ssh-jail" ]; then
echo "@reboot root sleep 60 && /usr/local/hestia/bin/v-add-sys-ssh-jail > /dev/null" > /etc/cron.d/hestia-ssh-jail
fi
#----------------------------------------------------------#
# Hestia #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$ARGUMENTS"
exit