#!/bin/sh -e

# Stub wrapper to be invoked by sshd to trap a user inside of a chroot. Invoke
# this script with an absolute path, and the name of the chroot as the first
# and only parameter, from the ssh ForceCommand option of openssh.
#
# Configuration and use:
#
# Pick a group that will be used to denote which users should be trapped in
# which chroots, to make configuration easier. I chose a scheme of 'ch.<name>';
# in this case, the group 'ch.cnuapp' for the chroot 'cnuapp'.
#
# First, patch sudoers to allow the ssh_chrooter to automatically obtain root
# so that it can run the chroot control script; the env_keep bit is important
# to allow ssh_chrooter to propagate important pieces of informatin up to the
# control script:
#
#   Defaults!/srv/chroot/j/ssh_chrooter env_keep+="ORIG_USER ORIG_SHELL SSH_CLIENT SSH_CONNECTION SSH_ORIGINAL_COMMAND"
#   %ch.cnuapp ALL=(ALL) NOPASSWD: /srv/chroot/j/ssh_chrooter cnuapp
#
# To trap users in the chroot group when they log in with password auth, add
# this to /etc/ssh/sshd_config :
#
#   Match group ch.cnuapp
#     ForceCommand /srv/chroot/j/ssh_chrooter cnuapp
#
# The above will not apply when users use an ssh key to log in; add this to
# ~/.ssh/authorized_keys for the user:
#
#   command="/srv/chroot/j/ssh_chrooter cnuapp" ssh-rsa AAAAB3...
#


[ "$(id -u)" -eq 0 ] || exec sudo ORIG_USER="${USER}" ORIG_SHELL="${SHELL}" SSH_CLIENT="${SSH_CLIENT}" SSH_CONNECTION="${SSH_CONNECTION}" SSH_ORIGINAL_COMMAND="${SSH_ORIGINAL_COMMAND}" "${0}" "${@}"

jname="${1}"

cd "$(dirname "$(dirname "${0}")")"
if [ "${SSH_ORIGINAL_COMMAND}" ]
then
  USER="${ORIG_USER}" j/eval "${jname}" "cd; ${SSH_ORIGINAL_COMMAND}"
else
  echo "You are now entering the ${jname} chroot" >&2
  USER="${ORIG_USER}" j/enter "${jname}"
fi