From 1da4c5146140b43a6020c57204a4d40931d569b7 Mon Sep 17 00:00:00 2001
From: Anthony <tony@mightybox.io>
Date: Wed, 30 Jul 2025 00:59:23 +0800
Subject: [PATCH] Revised fixes on ssh

---
 add-sftp.sh            | 25 +++++++++++++++++++++++++
 manifest.jps           | 13 +++++++++++++
 scripts/system_prep.sh |  9 ++++++++-
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/add-sftp.sh b/add-sftp.sh
index 018e840..a82d41b 100644
--- a/add-sftp.sh
+++ b/add-sftp.sh
@@ -194,6 +194,31 @@ fi
 
 log_success "Created bind mount for webroot access"
 
+# Bind shell, dev, and proc into chroot for SSH users
+if [ "$SSH_ENABLED" = "true" ]; then
+    log "Phase 9.1: Mounting shell/dev/proc into chroot"
+    # 1. shell template
+    if ! mount | grep -q "${USER_HOME}/shell"; then
+        log_cmd "mkdir -p ${USER_HOME}/shell" "Creating shell mount point"
+        log_cmd "mount --bind /home/sftp-shell ${USER_HOME}/shell" "Binding shell template"
+        grep -q "/home/sftp-shell ${USER_HOME}/shell" /etc/fstab || echo "/home/sftp-shell ${USER_HOME}/shell none bind 0 0" >> /etc/fstab
+    fi
+    # 2. dev nodes
+    if ! mount | grep -q "${USER_HOME}/dev"; then
+        log_cmd "mkdir -p ${USER_HOME}/dev" "Creating dev mount point"
+        log_cmd "mount --bind /home/sftp-shell/dev ${USER_HOME}/dev" "Binding dev nodes"
+        grep -q "/home/sftp-shell/dev ${USER_HOME}/dev" /etc/fstab || echo "/home/sftp-shell/dev ${USER_HOME}/dev none bind 0 0" >> /etc/fstab
+    fi
+    # 3. read-only proc
+    if ! mount | grep -q "${USER_HOME}/proc"; then
+        log_cmd "mkdir -p ${USER_HOME}/proc" "Creating proc mount point"
+        log_cmd "mount --bind /proc ${USER_HOME}/proc" "Binding proc"
+        log_cmd "mount -o remount,bind,ro ${USER_HOME}/proc" "Remount proc read-only"
+        grep -q "/proc ${USER_HOME}/proc" /etc/fstab || echo "/proc ${USER_HOME}/proc none bind,ro 0 0" >> /etc/fstab
+    fi
+    log_success "Shell, dev, and proc mounted into chroot"
+fi
+
 # Add user to the required groups
 log "Phase 10: Adding user to groups"
 if [ "$SSH_ENABLED" = "true" ]; then
diff --git a/manifest.jps b/manifest.jps
index 964b895..4848c40 100644
--- a/manifest.jps
+++ b/manifest.jps
@@ -347,6 +347,19 @@ actions:
             sed -i "\|/home/sftpusers/${settings.manage_username}/shell|d" /etc/fstab
           fi
 
+          # Unmount dev and proc
+          if mount | grep -q "/home/sftpusers/${settings.manage_username}/dev"; then
+            log "Unmounting dev bind mount for user: ${settings.manage_username}"
+            umount /home/sftpusers/${settings.manage_username}/dev
+          fi
+          if mount | grep -q "/home/sftpusers/${settings.manage_username}/proc"; then
+            log "Unmounting proc bind mount for user: ${settings.manage_username}"
+            umount /home/sftpusers/${settings.manage_username}/proc
+          fi
+          # Remove from fstab
+          sed -i "\|/home/sftpusers/${settings.manage_username}/dev|d" /etc/fstab
+          sed -i "\|/home/sftpusers/${settings.manage_username}/proc|d" /etc/fstab
+
           # Delete user account
           if userdel ${settings.manage_username}; then
             log_success "User account deleted: ${settings.manage_username}"
diff --git a/scripts/system_prep.sh b/scripts/system_prep.sh
index 1ae6803..a1834bd 100644
--- a/scripts/system_prep.sh
+++ b/scripts/system_prep.sh
@@ -45,16 +45,23 @@ prepare_sftp_system() {
         log_debug "PasswordAuthentication is already enabled."
     fi
 
+    # Ensure we disable any Subsystem lines pointing to external sftp-server
+    if grep -qE "^[#\s]*Subsystem\s+sftp\s+/" "$sshd_config"; then
+        log "Commenting out existing Subsystem sftp external binary line"
+        log_cmd "sed -i 's/^\s*Subsystem\s\+sftp\s\+/#&/' $sshd_config" "Comment out old Subsystem"
+    fi
+
     # --------------------------------------------------------------------------
     # Step 3: Create a dedicated addon config for modern SSH servers
     # --------------------------------------------------------------------------
     local addon_config_file="/etc/ssh/sshd_config.d/99-sftp-addon.conf"
     log "Creating dedicated SSH configuration at $addon_config_file..."
 
+    echo "Subsystem sftp internal-sftp" > "$addon_config_file"
     # This configuration uses a two-group system:
     # 1. 'sftpusers': SFTP-only, forced into SFTP mode.
     # 2. 'sshusers': SFTP + SSH, allowed a real shell but still chrooted.
-    cat > "$addon_config_file" << EOF
+    cat >> "$addon_config_file" << EOF
 # Configuration managed by SFTP-Addon - DO NOT EDIT MANUALLY
 
 # --- SFTP-ONLY USERS ---