Skip to content

Instantly share code, notes, and snippets.

@numb95

numb95/busyroot.sh

Forked from weakish/busyroot.sh
Created September 14, 2018 20:41
Download ZIP

Revisions

  1. @weakish weakish created this gist Apr 19, 2011.
    163 changes: 163 additions & 0 deletions busyroot.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,163 @@
    #!/bin/sh
    # by Jakukyo Friel <weakish@gmail.com> under GPL v2.

    ### Set up a chroot busybox SSH environment

    ## requires
    # wget -- to download pubkey and busybox
    # sharutils -- to generate random password

    ## Config

    # Edit them to suit your needs, e.g $Pubkeyurl. Paticuliarly, I'm using amd64. If you
    # are on a 32-bit x86 system, change $Arch to i586 or i686.


    # chroot users' group
    readonly Members=members
    # chroot directory (should be owned and writable only by root)
    readonly Chroot=/chroot

    # busybox
    readonly Site=http://busybox.net/downloads/binaries
    readonly Version=1.16.0
    readonly Arch=x86_64
    readonly URL=$Site/$Version/busybox-$Arch


    ## Doc

    help() {
    cat << END
    Set up a chroot busybox SSH environment
    Actions
    init create chroot environment
    add USERNAME PUBKEY_URL add new user and specify url to download pubkey
    help this help page
    Examples:
    busyroot add joe http://example.com/id_dsa.pub
    END
    }

    ## sshd settings
    #
    # You should have openssh-sever (>4.8) installed.
    #
    # We will use /chroot as the chroot directory. All users belong to the
    # group members will get chrooted. Edit your /etc/ssh/sshd_config, e.g.:
    #
    # Match Group members
    # ChrootDirectory /chroot
    #


    ## Set up chroot environment
    setup_chroot() {
    # prepare chroot group
    groupadd $Members

    # build directory tree
    mkdir $Chroot
    cd $Chroot
    mkdir -p dev/pts proc etc lib usr/lib var/run var/log \
    home bin usr/bin sbin usr/sbin

    # copy files
    cp /etc/localtime etc/
    cp /etc/nsswitch.conf etc/
    cp /etc/resolv.conf etc/
    cp /etc/host.conf etc/
    cp /etc/hosts etc/
    touch var/log/lastlog
    touch var/run/utmp
    touch var/log/wtmp

    # create devices
    mknod dev/urandom c 1 9 && chmod 0666 dev/urandom
    mknod dev/ptmx c 5 2 && chmod 0666 dev/ptmx
    mknod dev/tty c 5 0 && chmod 0666 dev/tty

    # The new environment needs access to terminals (this is necessary for a user to login) and to proc filesystem.
    mount -o bind /dev/pts dev/pts/
    mount -o bind /proc proc/

    # busybox
    cd bin
    wget "$URL"
    mv busybox-$Arch busybox
    chmod 0755 busybox
    ln -s busybox sh

    cat <<- END
    You need to manually chroot to link commands to busybox:
    chroot $Chroot /bin/sh
    busybox --install
    exit
    END
    }


    ## add user

    # Generate random password
    #
    # We disable password login. So in most cases, password is useless.
    # But in rare cases, we may need to enable password login. Thus we
    # made a very long password for security.
    # Since Base64 uses [:alnum:] plus [+-] ('=' as suffix), our password length is about as strong as an 256-bit key.
    # log(2**256)/log(26*2+10+2) => 42.6666666666667
    #
    generate_passwd() {
    dd if=/dev/urandom count=1 2>/dev/null |
    uuencode -m - |
    head -n 2 | tail -n 1 | cut -c -43
    }

    init_user() {
    local new_comer=$1
    local pubkey_url=$2
    local strong_passwd=`generate_passwd`

    # add user
    useradd -d /home/$new_comer -s /bin/sh -p $strong_passwd \
    -g $Members -m $new_comer

    # ssh with dsa_pubkey
    cd /home/$new_comer
    wget --no-check-certificate $pubkey_url
    mkdir .ssh
    chmod 700 .ssh
    cat ${pubkey_url##*/} >> .ssh/authorized_keys2
    chmod 600 .ssh/authorized_keys2
    chown -R $new_comer:$Members .ssh

    # copy files to $Chroot
    cd $Chroot
    local pattern="^${new_comer}:x:[0-9]"
    grep $pattern /etc/passwd >> etc/passwd
    grep $pattern /etc/group >> etc/group
    grep $pattern /etc/shadow >> etc/shadow
    mkdir home/$new_comer
    chown $new_comer:$Members home/$new_comer

    # report
    echo "Done for $new_comer, whose password is"
    echo $strong_passwd

    }


    ## main function

    case $1 in
    init) setup_chroot;;
    add)
    New_comer=$2
    Pubkey_url=$3
    init_user $New_comer $Pubkey_url;;
    *) help;;
    esac