bash/ssh-jail/ssh-jail.sh

   1 #!/bin/sh
   2 #env; exit 0
   3
   4 jail_dir="/var/chroot-jails"
   5 jail_system="/var/chroot-sys"
   6
   7 user="$PAM_USER"
   8 home="$(getent passwd "$user" | cut -f6 -d:)"
   9 home_system="$jail_system/$home"
  10 home_chroot="$jail_dir/$user/$home";
  11
  12 echo "$PAM_USER, $PAM_SERVICE, $PAM_TTY, $PAM_RHOST, $PAM_TYPE"
  13
  14 [ "$user" = "root" ] && {
  15         echo "no chroots for roots"
  16         exit 0;
  17 }
  18
  19 #TODO: test if $home is in /home/
  20
  21 mkdir -p "$home_system"
  22 mkdir -p "$jail_dir/$user"
  23 chown "$user:$user" "$home_system"
  24 chown -R root:root "$jail_system"
  25
  26 function is_mounted() {
  27         dir=$(echo "$1" | sed -e 's/\/\/*/\//g; s/\/$//g;')
  28         cut -d ' ' -f 2 /proc/mounts  | grep "^$dir$" >/dev/null
  29 }
  30
  31 function bind() {
  32         from="$1"
  33         to="$2"
  34         opt="$3"
  35
  36         is_mounted "$to" || {
  37                 echo "Mounting: $from to $to";
  38                 mount -o bind "$from" "$to"
  39         }
  40         [ -n "$opt" ] && mount -o remount,bind,"$opt" "$to"
  41         is_mounted "$to" || {
  42                 echo "Not mounted: $to"
  43                 return 1
  44         }
  45         return 0
  46 }
  47
  48 case "$PAM_TYPE" in
  49         close_session)
  50                 #TODO: unmount if not busy
  51                 #umount "$jail_dir/$user" && umount "$home_chroot"
  52                 exit 0
  53                 ;;
  54         *)
  55                 bind "$jail_system" "$jail_dir/$user" ',ro' || exit 1
  56                 bind "$home" "$home_chroot" || exit 2
  57                 ;;
  58 esac
  59
  60 exit 0