addons
/
add-sftp-user
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix permission checks: handle non-root execution for password, SSH config, and Match Group checks

main
Anthony 2025-11-04 18:22:11 +08:00
parent b1e2ef1307
commit 36cc410178
1 changed files with 101 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
check-sftp-user.sh
View File

@ -202,20 +202,29 @@ echo
echo "=== 5. PASSWORD CHECK ===" echo "=== 5. PASSWORD CHECK ==="
if [ "${USER_EXISTS:-true}" != "false" ] && id "$USERNAME" &>/dev/null 2>&1; then if [ "${USER_EXISTS:-true}" != "false" ] && id "$USERNAME" &>/dev/null 2>&1; then
# Check if password is set (this is tricky - we can only check if shadow entry exists) # Check if password is set (requires root to read /etc/shadow)
if grep -q "^$USERNAME:" /etc/shadow; then if [ "$EUID" -eq 0 ]; then
print_status "OK" "User has shadow entry (password record exists)" # Running as root - can check shadow file
# Check if password field is empty or has '!' (locked) if grep -q "^$USERNAME:" /etc/shadow 2>/dev/null; then
PWD_FIELD=$(grep "^$USERNAME:" /etc/shadow | cut -d: -f2) print_status "OK" "User has shadow entry (password record exists)"
if [ -z "$PWD_FIELD" ] || [ "$PWD_FIELD" = "*" ] || [ "$PWD_FIELD" = "!" ]; then # Check if password field is empty or has '!' (locked)
print_status "ERROR" "User password appears to be LOCKED or NOT SET!" PWD_FIELD=$(grep "^$USERNAME:" /etc/shadow 2>/dev/null | cut -d: -f2)
echo " Password field: $PWD_FIELD" if [ -z "$PWD_FIELD" ] || [ "$PWD_FIELD" = "*" ] || [ "$PWD_FIELD" = "!" ]; then
echo " Fix: echo '$USERNAME:NEW_PASSWORD' | chpasswd" print_status "ERROR" "User password appears to be LOCKED or NOT SET!"
echo " Password field: $PWD_FIELD"
echo " Fix: echo '$USERNAME:NEW_PASSWORD' | chpasswd"
else
print_status "OK" "User password appears to be set (hashed)"
fi
else else
print_status "OK" "User password appears to be set (hashed)" print_status "ERROR" "User does NOT have shadow entry!"
fi fi
else else
print_status "ERROR" "User does NOT have shadow entry!" # Not running as root - cannot read /etc/shadow
print_status "WARNING" "Cannot check password status (requires root privileges)"
echo " Note: Password check requires root access to read /etc/shadow"
echo " Run as root or use sudo to check password status"
echo " To verify password: sudo grep '^$USERNAME:' /etc/shadow"
fi fi
fi fi
echo echo
@ -238,15 +247,32 @@ fi
# Check addon config file # Check addon config file
ADDON_CONFIG="/etc/ssh/sshd_config.d/99-sftp-addon.conf" ADDON_CONFIG="/etc/ssh/sshd_config.d/99-sftp-addon.conf"
if [ -d "/etc/ssh/sshd_config.d" ]; then if [ -d "/etc/ssh/sshd_config.d" ]; then
if [ -f "$ADDON_CONFIG" ]; then # Check if file exists (may require root to read)
print_status "OK" "Addon config file exists: $ADDON_CONFIG" if [ -r "$ADDON_CONFIG" ] || [ "$EUID" -eq 0 ]; then
echo " Contents:" if [ -f "$ADDON_CONFIG" ]; then
cat "$ADDON_CONFIG" | sed 's/^/ /' print_status "OK" "Addon config file exists: $ADDON_CONFIG"
if [ -r "$ADDON_CONFIG" ] || [ "$EUID" -eq 0 ]; then
echo " Contents:"
cat "$ADDON_CONFIG" 2>/dev/null | sed 's/^/ /' || echo " (Cannot read file - requires root)"
else
echo " File exists but cannot be read (requires root privileges)"
fi
else
print_status "WARNING" "Addon config file does NOT exist: $ADDON_CONFIG"
echo " This file should be created during addon installation."
echo " The addon may not have been properly installed or updated."
echo " Fix: Reinstall or update the addon to create this file."
fi
else else
print_status "WARNING" "Addon config file does NOT exist: $ADDON_CONFIG" # Check if file exists using test (works even without read permission)
echo " This file should be created during addon installation." if sudo test -f "$ADDON_CONFIG" 2>/dev/null || [ -f "$ADDON_CONFIG" ]; then
echo " The addon may not have been properly installed or updated." print_status "OK" "Addon config file exists: $ADDON_CONFIG"
echo " Fix: Reinstall or update the addon to create this file." echo " Note: Cannot read contents (requires root privileges)"
echo " To view: sudo cat $ADDON_CONFIG"
else
print_status "WARNING" "Cannot verify addon config file (requires root privileges)"
echo " Check: sudo ls -la $ADDON_CONFIG"
fi
fi fi
else else
print_status "WARNING" "SSH config.d directory does not exist: /etc/ssh/sshd_config.d" print_status "WARNING" "SSH config.d directory does not exist: /etc/ssh/sshd_config.d"
@ -264,28 +290,70 @@ else
fi fi
# Check Match Group configuration # Check Match Group configuration
if grep -q "Match Group sftpusers" /etc/ssh/sshd_config; then MATCH_SFTPUSERS_FOUND=false
MATCH_SSHUSERS_FOUND=false
# Check main config
if grep -q "Match Group sftpusers" /etc/ssh/sshd_config 2>/dev/null; then
MATCH_SFTPUSERS_FOUND=true
print_status "OK" "Match Group sftpusers found in main config" print_status "OK" "Match Group sftpusers found in main config"
elif [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sftpusers" "$ADDON_CONFIG"; then fi
print_status "OK" "Match Group sftpusers found in addon config"
else # Check addon config (may require root to read)
if [ "$MATCH_SFTPUSERS_FOUND" = false ]; then
if [ -r "$ADDON_CONFIG" ]; then
if [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sftpusers" "$ADDON_CONFIG" 2>/dev/null; then
MATCH_SFTPUSERS_FOUND=true
print_status "OK" "Match Group sftpusers found in addon config"
fi
elif sudo test -f "$ADDON_CONFIG" 2>/dev/null && sudo grep -q "Match Group sftpusers" "$ADDON_CONFIG" 2>/dev/null; then
MATCH_SFTPUSERS_FOUND=true
print_status "OK" "Match Group sftpusers found in addon config"
fi
fi
if [ "$MATCH_SFTPUSERS_FOUND" = false ]; then
print_status "ERROR" "Match Group sftpusers NOT found in SSH config!" print_status "ERROR" "Match Group sftpusers NOT found in SSH config!"
fi fi
if grep -q "Match Group sshusers" /etc/ssh/sshd_config; then # Check for sshusers group
if grep -q "Match Group sshusers" /etc/ssh/sshd_config 2>/dev/null; then
MATCH_SSHUSERS_FOUND=true
print_status "OK" "Match Group sshusers found in main config" print_status "OK" "Match Group sshusers found in main config"
elif [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sshusers" "$ADDON_CONFIG"; then
print_status "OK" "Match Group sshusers found in addon config"
else
print_status "WARNING" "Match Group sshusers NOT found (needed for SSH access)"
fi fi
# Test SSH config syntax if [ "$MATCH_SSHUSERS_FOUND" = false ]; then
if sshd -t 2>/dev/null; then if [ -r "$ADDON_CONFIG" ]; then
print_status "OK" "SSH configuration syntax is valid" if [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sshusers" "$ADDON_CONFIG" 2>/dev/null; then
MATCH_SSHUSERS_FOUND=true
print_status "OK" "Match Group sshusers found in addon config"
fi
elif sudo test -f "$ADDON_CONFIG" 2>/dev/null && sudo grep -q "Match Group sshusers" "$ADDON_CONFIG" 2>/dev/null; then
MATCH_SSHUSERS_FOUND=true
print_status "OK" "Match Group sshusers found in addon config"
fi
fi
if [ "$MATCH_SSHUSERS_FOUND" = false ]; then
print_status "WARNING" "Match Group sshusers NOT found (needed for SSH access)"
echo " Note: This may be in the addon config file that requires root to read"
echo " Check: sudo grep 'Match Group sshusers' $ADDON_CONFIG"
fi
# Test SSH config syntax (requires root)
if [ "$EUID" -eq 0 ]; then
if sshd -t 2>&1; then
print_status "OK" "SSH configuration syntax is valid"
else
SSH_TEST_OUTPUT=$(sshd -t 2>&1)
print_status "ERROR" "SSH configuration syntax is INVALID!"
echo " Errors:"
echo "$SSH_TEST_OUTPUT" | sed 's/^/ /'
fi
else else
print_status "ERROR" "SSH configuration syntax is INVALID!" print_status "WARNING" "Cannot test SSH config syntax (requires root privileges)"
echo " Run: sshd -t (as root) to see errors" echo " To test: sudo sshd -t"
echo " Note: SSH service is running, so config is likely valid"
fi fi
echo echo