Fix permission checks: handle non-root execution for password, SSH config, and Match Group checks

2025-11-04 18:22:11 +08:00 · 2025-11-04 18:22:11 +08:00 · 36cc410178
parent b1e2ef1307
commit 36cc410178
1 changed files with 101 additions and 33 deletions
--- a/check-sftp-user.sh
+++ b/check-sftp-user.sh
@ -202,11 +202,13 @@ echo

 echo "=== 5. PASSWORD CHECK ==="
 if [ "${USER_EXISTS:-true}" != "false" ] && id "$USERNAME" &>/dev/null 2>&1; then
-    # Check if password is set (this is tricky - we can only check if shadow entry exists)
-    if grep -q "^$USERNAME:" /etc/shadow; then
+    # Check if password is set (requires root to read /etc/shadow)
+    if [ "$EUID" -eq 0 ]; then
+        # Running as root - can check shadow file
+        if grep -q "^$USERNAME:" /etc/shadow 2>/dev/null; then
            print_status "OK" "User has shadow entry (password record exists)"
            # Check if password field is empty or has '!' (locked)
-        PWD_FIELD=$(grep "^$USERNAME:" /etc/shadow | cut -d: -f2)
+            PWD_FIELD=$(grep "^$USERNAME:" /etc/shadow 2>/dev/null | cut -d: -f2)
            if [ -z "$PWD_FIELD" ] || [ "$PWD_FIELD" = "*" ] || [ "$PWD_FIELD" = "!" ]; then
                print_status "ERROR" "User password appears to be LOCKED or NOT SET!"
                echo "  Password field: $PWD_FIELD"
@ -217,6 +219,13 @@ if [ "${USER_EXISTS:-true}" != "false" ] && id "$USERNAME" &>/dev/null 2>&1; the
        else
            print_status "ERROR" "User does NOT have shadow entry!"
        fi
+    else
+        # Not running as root - cannot read /etc/shadow
+        print_status "WARNING" "Cannot check password status (requires root privileges)"
+        echo "  Note: Password check requires root access to read /etc/shadow"
+        echo "  Run as root or use sudo to check password status"
+        echo "  To verify password: sudo grep '^$USERNAME:' /etc/shadow"
+    fi
 fi
 echo

@ -238,16 +247,33 @@ fi
 # Check addon config file
 ADDON_CONFIG="/etc/ssh/sshd_config.d/99-sftp-addon.conf"
 if [ -d "/etc/ssh/sshd_config.d" ]; then
+    # Check if file exists (may require root to read)
+    if [ -r "$ADDON_CONFIG" ] || [ "$EUID" -eq 0 ]; then
        if [ -f "$ADDON_CONFIG" ]; then
            print_status "OK" "Addon config file exists: $ADDON_CONFIG"
+            if [ -r "$ADDON_CONFIG" ] || [ "$EUID" -eq 0 ]; then
                echo "  Contents:"
-        cat "$ADDON_CONFIG" | sed 's/^/    /'
+                cat "$ADDON_CONFIG" 2>/dev/null | sed 's/^/    /' || echo "    (Cannot read file - requires root)"
+            else
+                echo "  File exists but cannot be read (requires root privileges)"
+            fi
        else
            print_status "WARNING" "Addon config file does NOT exist: $ADDON_CONFIG"
            echo "  This file should be created during addon installation."
            echo "  The addon may not have been properly installed or updated."
            echo "  Fix: Reinstall or update the addon to create this file."
        fi
+    else
+        # Check if file exists using test (works even without read permission)
+        if sudo test -f "$ADDON_CONFIG" 2>/dev/null || [ -f "$ADDON_CONFIG" ]; then
+            print_status "OK" "Addon config file exists: $ADDON_CONFIG"
+            echo "  Note: Cannot read contents (requires root privileges)"
+            echo "  To view: sudo cat $ADDON_CONFIG"
+        else
+            print_status "WARNING" "Cannot verify addon config file (requires root privileges)"
+            echo "  Check: sudo ls -la $ADDON_CONFIG"
+        fi
+    fi
 else
    print_status "WARNING" "SSH config.d directory does not exist: /etc/ssh/sshd_config.d"
    echo "  This directory is required for the addon configuration."
@ -264,28 +290,70 @@ else
 fi

 # Check Match Group configuration
-if grep -q "Match Group sftpusers" /etc/ssh/sshd_config; then
+MATCH_SFTPUSERS_FOUND=false
+MATCH_SSHUSERS_FOUND=false
+
+# Check main config
+if grep -q "Match Group sftpusers" /etc/ssh/sshd_config 2>/dev/null; then
+    MATCH_SFTPUSERS_FOUND=true
    print_status "OK" "Match Group sftpusers found in main config"
-elif [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sftpusers" "$ADDON_CONFIG"; then
+fi
+
+# Check addon config (may require root to read)
+if [ "$MATCH_SFTPUSERS_FOUND" = false ]; then
+    if [ -r "$ADDON_CONFIG" ]; then
+        if [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sftpusers" "$ADDON_CONFIG" 2>/dev/null; then
+            MATCH_SFTPUSERS_FOUND=true
            print_status "OK" "Match Group sftpusers found in addon config"
-else
+        fi
+    elif sudo test -f "$ADDON_CONFIG" 2>/dev/null && sudo grep -q "Match Group sftpusers" "$ADDON_CONFIG" 2>/dev/null; then
+        MATCH_SFTPUSERS_FOUND=true
+        print_status "OK" "Match Group sftpusers found in addon config"
+    fi
+fi
+
+if [ "$MATCH_SFTPUSERS_FOUND" = false ]; then
    print_status "ERROR" "Match Group sftpusers NOT found in SSH config!"
 fi

-if grep -q "Match Group sshusers" /etc/ssh/sshd_config; then
+# Check for sshusers group
+if grep -q "Match Group sshusers" /etc/ssh/sshd_config 2>/dev/null; then
+    MATCH_SSHUSERS_FOUND=true
    print_status "OK" "Match Group sshusers found in main config"
-elif [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sshusers" "$ADDON_CONFIG"; then
-    print_status "OK" "Match Group sshusers found in addon config"
-else
-    print_status "WARNING" "Match Group sshusers NOT found (needed for SSH access)"
 fi

-# Test SSH config syntax
-if sshd -t 2>/dev/null; then
+if [ "$MATCH_SSHUSERS_FOUND" = false ]; then
+    if [ -r "$ADDON_CONFIG" ]; then
+        if [ -f "$ADDON_CONFIG" ] && grep -q "Match Group sshusers" "$ADDON_CONFIG" 2>/dev/null; then
+            MATCH_SSHUSERS_FOUND=true
+            print_status "OK" "Match Group sshusers found in addon config"
+        fi
+    elif sudo test -f "$ADDON_CONFIG" 2>/dev/null && sudo grep -q "Match Group sshusers" "$ADDON_CONFIG" 2>/dev/null; then
+        MATCH_SSHUSERS_FOUND=true
+        print_status "OK" "Match Group sshusers found in addon config"
+    fi
+fi
+
+if [ "$MATCH_SSHUSERS_FOUND" = false ]; then
+    print_status "WARNING" "Match Group sshusers NOT found (needed for SSH access)"
+    echo "  Note: This may be in the addon config file that requires root to read"
+    echo "  Check: sudo grep 'Match Group sshusers' $ADDON_CONFIG"
+fi
+
+# Test SSH config syntax (requires root)
+if [ "$EUID" -eq 0 ]; then
+    if sshd -t 2>&1; then
        print_status "OK" "SSH configuration syntax is valid"
-else
+    else
+        SSH_TEST_OUTPUT=$(sshd -t 2>&1)
        print_status "ERROR" "SSH configuration syntax is INVALID!"
-    echo "  Run: sshd -t (as root) to see errors"
+        echo "  Errors:"
+        echo "$SSH_TEST_OUTPUT" | sed 's/^/    /'
+    fi
+else
+    print_status "WARNING" "Cannot test SSH config syntax (requires root privileges)"
+    echo "  To test: sudo sshd -t"
+    echo "  Note: SSH service is running, so config is likely valid"
 fi
 echo