Simple helper script to add user accounts for jSYS

jSYS (or Jail SYSTEM) is a software developed by Izysoftware to create virtualized jails in user-space.
In this article a simple script is analyzed. The script of this example consists in a working bash script to create new jSYS users with a skeleton directory tree to use from jSYS.

DOWNLOAD THE SCRIPT HERE

When this script runs, you’ll be asked to add a new system user to be used from jSYS shells. The added user will have its home directory initialized with some folders and configuration files. The home directory of the added user will contain an automatically created XML configuration file to use with jSYS. Also, the same file will be used directly from the login shell as this file is going to be set as login configuration file for the added user.
This script will replicate some files existing in /etc and /proc with dummy files containing wrong but structurally valid values. This is done to increase the privacy of the other system users, by limiting the resources available to see form the added user.

When you run the script you’ll only have to enter an username for a new system account to create and to confirm its creation:

1
# bash jsys-adduser

You can automatically specify an account name from the command line:

1
# bash jsys-adduser jstest

Once the account has been added (in the example above, an user named jstest will be created), it’ll be useable from SSH if a password has been set to the user after its creation (and if a SSH server is running.)

You can also test the account locally by typing:

1
$ su jstest

You can start a SSHd server on a non-standard port 7777 by typing:

1
# sshd -p 7777 -D -e -f /tmp/sshd_config

(note that i placed the sshd_config file in /tmp)

Now, you can login with the added user from another terminal:

1
$ ssh jstest@127.0.0.1 -p 7777

From the shell you can enter any command. You can note that the user is ruining inside a jail created by jSYS using the script given in this example and that some options of the configuration file will limit the ability of the logged user to execute commands.

1
2
3
$ ssh jstest@127.0.0.1 -p 7777
jstest@127.0.0.1's password: 
jstest@localhost:~$

Now that a remote shell is here, you can read some system files:

1
2
3
4
5
jstest@localhost:~$ cat /etc/passwd
jstest:x:1200:1200:jstest,,,,:/home/jstest:/bin/bash
jstest@localhost:~$ cat /etc/group 
jstest:x:1200:
jstest@localhost:~$

And as you can see, jSYS intercepted the requests and returned some crafted files in order to hide the real content of those files.
Listing the users from /home won’t work either:

1
2
3
jstest@localhost:~$ ls /home
jstest
jstest@localhost:~$

Also the directory /tmp is now actually a redirect to /home/jstest/tmp so that all temporary files will be private and it won’t be possible for another user to read the temp files of jstest (as well as the opposite).

1
2
jstest@localhost:~$ ls /tmp
jstest@localhost:~$

/tmp is empty. Remember the sshd_config file placed in the /tmp folder of the host system? Indeed, the jstest user doesn’t see it.

Running “top” won’t give a list of processes owned by other users:

1
2
3
4
5
6
7
top - 17:25:45 up  7:44,  0 users,  load average: 0.10, 0.09, 0.09
Tasks:   2 total,   0 running,   2 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
 
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
 5979 jstest    20   0 17708 1076  604 S    0  0.0   0:00.01 bash               
 6037 jstest    20   0 18940 1220  996 D    0  0.0   0:00.01 top

It’s easy to understand why, many files in /proc have been hidden and blocked by jSYS:

1
2
3
jstest@localhost:~$ ls /proc
5974  5979  6046  loadavg  meminfo  self  stat	uptime	version
jstest@localhost:~$

Only some files have been forged and left available to be read. In other to allow programs that read them from /proc (such as “top” or “ps“) to run:

1
2
3
4
5
jstest@localhost:~$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
jstest    5979  0.0  0.0  17708  1152 ?        S    16:09   0:00 bash
jstest    6276  0.0  0.0  14820  1020 ?        R+   16:36   0:00 ps aux
jstest@localhost:~$

Also, the readdir function is blocked in some directories. Look at the consequence of this configuration by executing ls:

1
2
3
4
5
jstest@localhost:~$ ls /bin /etc /var
ls: cannot access /var: Permission denied
ls: cannot open directory /bin: Permission denied
ls: cannot open directory /etc: Permission denied
jstest@localhost:~$

The error message for the directory /var is different, because the access to this directory has been totally blocked.

Indeed, it’s not possible to list files. From the XML configuration file it’s possible to block various hooks on a per-directory (and per-file) basis, you can have a list of the known hooks by running the command $ jsys ctypes hooks
However, even if the listing of files has been blocked, it’s possible to access the files in these directories as the access to the contained files by path hasn’t be blocked:

1
2
3
jstest@localhost:~$ /bin/cat /etc/hosts
127.0.0.1	localhost
jstest@localhost:~$

Both files (/bin/cat and /etc/hosts) are located in directories where the listing has been disabled, but they can be found by path.
The same doesn’t apply to /var as the access here is fully blocked as previously said:

1
2
3
4
5
jstest@localhost:~$ cat /var/www/index.html
cat: /var/www/index.html: Permission denied
jstest@localhost:~$ cat /var/www/aasasdd-i-dont-even-exist-on-the-filesystem
cat: /var/www/aasasdd-i-dont-even-exist-on-the-filesystem: Permission denied
jstest@localhost:~$

The command “tree” gives a good view of the result of this configuration of jSYS:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ tree -L 2
.
|-- bin [error opening dir]
|-- dev [error opening dir]
|-- etc [error opening dir]
|-- home
|   `-- jstest
|-- lib [error opening dir]
|-- lib32 [error opening dir]
|-- lib64 -> /lib
|-- lost+found [error opening dir]
|-- opt [error opening dir]
|-- proc
|   |-- 5974
|   |-- 5979
|   |-- 6151
|   |-- loadavg
|   |-- meminfo
|   |-- self
|   |-- stat
|   |-- uptime
|   `-- version
|-- root [error opening dir]
|-- sbin [error opening dir]
|-- selinux [error opening dir]
|-- srv
|-- sys [error opening dir]
|-- tmp
|-- usr [error opening dir]
 
22 directories, 8 files
jstest@localhost:/$

The only writable directories are /home/jstest and /tmp. Both directories will write files into the user’s home, so that deleting the user’s home folder will automatically remove all of his files.

jSYS can be used with SSH and SCP. The usage of SCP can be blocked from the configuration file of jSYS, but there is no reason to do so: a user will be only able to copy (download/upload) his files in his writable directories.

1
$ scp -P 7777 foo.txt jstest@127.0.0.1:/home/jstest

(and from the SSH connection)

1
2
3
jstest@localhost:~$ ls
foo.txt
jstest@localhost:~$

jSYS is a program fully working in user-space and doesn’t require any change to the kernel. The software works out of the box, the script used in this example can be used to automatize the creation of new users with a predefined set of common directory trees as built by the script itself.
You can edit the source code of the script to personalize it, to add files and folders or to change the predefined XML configuration file (this file is embedded and encoded in the shell script, you’ve to decode it and re-encode it from base64 in order to change it).

From the XML configuration file it’s possible to limit the concurrent logins of a user to one. By editing the resource limits section of the configuration file it’s possible to limit the concurrent amount of processes, in order to limit the ability of the user to abuse of the resources of the server. Also, it’s possible to set the maximum size of a file and the maximum CPU time a process can consume. The XML configuration files gives you many options to tune the settings of any user account. You can find all XML configuration keys in the documentation of jSYS at the main website of izysoftware.