Quicktricks.net

Create new Linux User with ChrootDirectory

This is quick trick for chroot user in Linux


# make chroot dir for user dev02:
newUserName=dev02
#add user:
useradd ${newUserName}
passwd ${newUserName}
mkdir -p /home/${newUserName}
ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}
mkdir -p /home/${newUserName}/home
cd /home/${newUserName}/home
mknod -m 666 null c 1 3
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
mknod -m 666 random c 1 8
chown root:root /home/${newUserName}
chmod 0755 /home/${newUserName}
ls -ld /home/${newUserName}
mkdir -p /home/${newUserName}/usr/bin
ln -s /home/${newUserName}/usr/bin /home/${newUserName}/bin
# copy bash command
cp /bin/bash  /home/${newUserName}/usr/bin/
# check bash command libs:
mkdir -p /home/${newUserName}/lib64
ldd /bin/bash
# copy all depends to lib64 dir:
cp -v /lib64/{libtinfo.so.6,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2}  /home/${newUserName}/lib64/


#make etc folder
mkdir /home/${newUserName}/etc
cp -vf /etc/{passwd,group} /home/${newUserName}/etc/

mkdir -p /home/${newUserName}/home/www
chown -R ${newUserName}:${newUserName} /home/${newUserName}/home/www
chmod -R 0700 /home/${newUserName}/home/www

cp /bin/ls /home/${newUserName}/usr/bin/
cp /bin/date /home/${newUserName}/usr/bin/
cp /bin/mkdir /home/${newUserName}/usr/bin/
ldd /bin/ls
cp -v /lib64/{libpcre2-8.so.0,libselinux.so.1,libcap.so.2,libacl.so.1,libc.so.6,libpcre.so.1,libdl.so.2,ld-linux-x86-64.so.2,libattr.so.1,libpthread.so.0}  /home/${newUserName}/lib64/

mkdir -p /home/${newUserName}/usr/share/terminfo
cp -r /usr/share/terminfo/* /home/${newUserName}/usr/share/terminfo/


# if use PHP
cp /bin/php /home/${newUserName}/usr/bin/
# check which libs PHP used
ldd /bin/php
cp -v /lib64/{libcrypt.so.1,libresolv.so.2,libncurses.so.6,libtinfo.so.6,librt.so.1,libstdc++.so.6,libm.so.6,libdl.so.2,libxml2.so.2,libgssapi_krb5.so.2,libkrb5.so.3,libk5crypto.so.3,libcom_err.so.2,libssl.so.1.1,libcrypto.so.1.1,libpcre2-8.so.0,libz.so.1,libedit.so.0,libc.so.6,libpthread.so.0,/lib64/ld-linux-x86-64.so.2,libgcc_s.so.1,liblzma.so.5,libkrb5support.so.0,libkeyutils.so.1,libselinux.so.1}  /home/${newUserName}/lib64/

# edit /home/${newUserName}/.bashrc, add to end file this text:
cd /home/${newUserName}/home/www
# edit file /etc/ssh/sshd_config, add config:
Match User ${newUserName}
	ChrootDirectory /home/${newUserName}
	AllowTcpForwarding no
AllowUsers ${newUserName}
# comment this line:
Subsystem	sftp	/usr/libexec/openssh/sftp-server
# change it to:
Subsystem sftp internal-sftp -f AUTH -l VERBOSE

systemctl restart sshd

Or make a bash-script for 1 hit (save below code in create-user.sh file then run):

#!/bin/bash

# Prompt user to enter a value for the variable
echo "Enter your new UserName:"

read -p "" newUserName

# Display the value entered by the user
echo "Your new username is: $newUserName"

#add user:
useradd ${newUserName}
passwd ${newUserName}
mkdir -p /home/${newUserName}
ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}
mkdir -p /home/${newUserName}/home
cd /home/${newUserName}/home
mknod -m 666 null c 1 3
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
mknod -m 666 random c 1 8
chown root:root /home/${newUserName}
chmod 0755 /home/${newUserName}
ls -ld /home/${newUserName}
mkdir -p /home/${newUserName}/usr/bin
ln -s /home/${newUserName}/usr/bin /home/${newUserName}/bin
# copy bash command
cp /bin/bash  /home/${newUserName}/usr/bin/
# check bash command libs:
mkdir -p /home/${newUserName}/lib64
ldd /bin/bash
# copy all depends to lib64 dir:
cp -v /lib64/{libtinfo.so.6,libdl.so.2,libc.so.6,ld-linux-x86-64.so.2}  /home/${newUserName}/lib64/


#make etc folder
mkdir /home/${newUserName}/etc
cp -vf /etc/{passwd,group} /home/${newUserName}/etc/

mkdir -p /home/${newUserName}/home/www
chown -R ${newUserName}:${newUserName} /home/${newUserName}/home/www
chmod -R 0700 /home/${newUserName}/home/www

cp /bin/ls /home/${newUserName}/usr/bin/
cp /bin/date /home/${newUserName}/usr/bin/
cp /bin/mkdir /home/${newUserName}/usr/bin/
ldd /bin/ls
cp -v /lib64/{libpcre2-8.so.0,libselinux.so.1,libcap.so.2,libacl.so.1,libc.so.6,libpcre.so.1,libdl.so.2,ld-linux-x86-64.so.2,libattr.so.1,libpthread.so.0}  /home/${newUserName}/lib64/

mkdir -p /home/${newUserName}/usr/share/terminfo
cp -r /usr/share/terminfo/* /home/${newUserName}/usr/share/terminfo/

echo 'cd /home/'${newUserName}'/home/www' >> /home/${newUserName}/.bashrc

# Change config Subsystem sftp
sudo sed -i 's/^Subsystem.*/Subsystem sftp internal-sftp -f AUTH -l VERBOSE/' /etc/ssh/sshd_config

# check exist sshd config Match User
if grep -q "^Match User ${newUserName}" /etc/ssh/sshd_config; then
    # replace
    sed -i "/^Match User ${newUserName}/c\Match User ${newUserName}\n\tChrootDirectory /home/${newUserName}\n\tAllowTcpForwarding no" /etc/ssh/sshd_config
else
    # add
    echo -e "\nMatch User ${newUserName}\n\tChrootDirectory /home/${newUserName}\n\tAllowTcpForwarding no" >> /etc/ssh/sshd_config
fi

# check exist sshd config AllowUsers
if grep -q "^AllowUsers ${newUserName}" /etc/ssh/sshd_config; then
    # do nothing
    echo "AllowUsers ${newUserName} already exists"
else
    # add
    echo "AllowUsers ${newUserName}" >> /etc/ssh/sshd_config
fi

# restart sshd
sudo systemctl restart sshd

# if PHP
cp /bin/php /home/${newUserName}/usr/bin/
ldd /bin/php
cp -v /lib64/{libcrypt.so.1,libresolv.so.2,libncurses.so.6,libtinfo.so.6,librt.so.1,libstdc++.so.6,libm.so.6,libdl.so.2,libxml2.so.2,libgssapi_krb5.so.2,libkrb5.so.3,libk5crypto.so.3,libcom_err.so.2,libssl.so.1.1,libcrypto.so.1.1,libpcre2-8.so.0,libz.so.1,libedit.so.0,libc.so.6,libpthread.so.0,ld-linux-x86-64.so.2,libgcc_s.so.1,liblzma.so.5,libkrb5support.so.0,libkeyutils.so.1,libselinux.so.1}  /home/${newUserName}/lib64/
, ,
,

DMCA.com Protection Status

Leave a Reply

Your email address will not be published. Required fields are marked *