From a4edb895353314d867e7c5306a4ad0acbfffe34a Mon Sep 17 00:00:00 2001
From: Tomas Mudrunka <tomas@mudrunka.cz>
Date: Mon, 30 Mar 2015 03:40:27 +0200
Subject: [PATCH] ssh-jail builder

---
 bash/ssh-jail/ssh-jail.sh | 60 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 bash/ssh-jail/ssh-jail.sh

diff --git a/bash/ssh-jail/ssh-jail.sh b/bash/ssh-jail/ssh-jail.sh
new file mode 100644
index 0000000..ac56ea0
--- /dev/null
+++ b/bash/ssh-jail/ssh-jail.sh
@@ -0,0 +1,60 @@
+#!/bin/sh
+#env; exit 0
+
+jail_dir="/var/chroot-jails"
+jail_system="/var/chroot-sys"
+
+user="$PAM_USER"
+home="$(getent passwd "$user" | cut -f6 -d:)"
+home_system="$jail_system/$home"
+home_chroot="$jail_dir/$user/$home";
+
+echo "$PAM_USER, $PAM_SERVICE, $PAM_TTY, $PAM_RHOST, $PAM_TYPE"
+
+[ "$user" = "root" ] && {
+	echo "no chroots for roots"
+	exit 0;
+}
+
+#TODO: test if $home is in /home/
+
+mkdir -p "$home_system"
+mkdir -p "$jail_dir/$user"
+chown "$user:$user" "$home_system"
+chown -R root:root "$jail_system"
+
+function is_mounted() {
+	dir=$(echo "$1" | sed -e 's/\/\/*/\//g; s/\/$//g;')
+	cut -d ' ' -f 2 /proc/mounts  | grep "^$dir$" >/dev/null
+}
+
+function bind() {
+	from="$1"
+	to="$2"
+	opt="$3"
+
+	is_mounted "$to" || {
+		echo "Mounting: $from to $to";
+		mount -o bind "$from" "$to"
+	}
+	[ -n "$opt" ] && mount -o remount,bind,"$opt" "$to"
+	is_mounted "$to" || {
+		echo "Not mounted: $to"
+		return 1
+	}
+	return 0
+}
+
+case "$PAM_TYPE" in
+	close_session)
+		#TODO: unmount if not busy
+		#umount "$jail_dir/$user" && umount "$home_chroot"
+		exit 0
+		;;
+	*)
+		bind "$jail_system" "$jail_dir/$user" ',ro' || exit 1
+		bind "$home" "$home_chroot" || exit 2
+		;;
+esac
+
+exit 0
-- 
2.30.2