forked from hestiacp/hestiacp
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathv-add-user-ssh-jail
More file actions
executable file
·109 lines (86 loc) · 3.42 KB
/
v-add-user-ssh-jail
File metadata and controls
executable file
·109 lines (86 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/bash
# info: add user ssh jail
# options: USER [RESTART]
#
# example: v-add-user-ssh-jail admin
#
# This function enables ssh jailed environment
#----------------------------------------------------------#
# Variables & Functions #
#----------------------------------------------------------#
# Argument definition
user=$1
restart=$3
# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"
chroot="/srv/jail/$user"
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
# Checking if jailkit is installed
if [ ! -x /sbin/jk_init ]; then
exit
fi
check_args '1' "$#" 'USER'
is_format_valid 'user'
# Perform verification if read-only mode is enabled
check_hestia_demo_mode
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Get shell full path
shell_path=$(grep "^$user:" /etc/passwd | cut -f 7 -d :)
# Set home folder permission to root
if [ -d "/home/$user" ]; then
chown root:root /home/$user
fi
# Prevent from enabling for users hen rssh or nologin is enabled
user_str=$(grep "^$user:" /etc/passwd | egrep "rssh|nologin")
if [ -n "$user_str" ]; then
exit
fi
if [ ! -d "$chroot" ]; then
add_chroot_jail "$user"
# Add user to the ssh-jailed group to allow jailed ssh
# This needs to be done first to make sure these groups are made available in the jail
usermod -a -G ssh-jailed "$user"
# Installing shell files into the user chroot directory
# - IMPORTANT - MODIFY THE FOLLOWING LINES AND THE FILE jk_init.ini ACCORDING TO YOUR SYSTEM AND YOUR PREFERENCES
/sbin/jk_init -f -j "$chroot" extendedshell netutils ssh sftp scp git php php5_6 php7_0 php7_1 php7_2 php7_3 php7_4 php8_0 php8_1 php8_2 > /dev/null 2>&1
/sbin/jk_cp -f -j "$chroot" /bin/id > /dev/null 2>&1
# Jailing user to make sure passwd and groups are set correctly within the jail.
# This command also does a little too much by changing the users homedir and
# shell in /etc/passwd. The next commands reverts those changes for compatibility
# with hestia.
/sbin/jk_jailuser -n -s "$shell_path" -j "$chroot" "$user"
# Reset home directory and shell again for hestiacp because jailkit changes these.
# Normally these are needed to redirect the ssh user to it's chroot but because we
# use a custom sshd_config to redirect the user to it's chroot we don't need it to be
# changed in /etc/passwd for the user.
usermod -d "/home/$user" "$user" > /dev/null 2>&1
usermod -s "$shell_path" "$user" > /dev/null 2>&1
else
/sbin/jk_update -f -j "$chroot" > /dev/null 2>&1
usermod -d "/home/$user" "$user" > /dev/null 2>&1
usermod -s "$shell_path" "$user" > /dev/null 2>&1
fi
#----------------------------------------------------------#
# Hestia #
#----------------------------------------------------------#
# Enabling user jail
update_user_value "$user" '$SHELL_JAIL_ENABLED' "yes"
# Restart ssh service
if [ "$restart" = 'no' ]; then
# Skip restart of SSH daemon
echo "" > /dev/null 2>&1
else
service sshd restart > /dev/null 2>&1
fi
# Logging
log_event "$OK" "$ARGUMENTS"
exit