Fix group detection bug - use word boundary matching and improve variable handling

2025-11-04 18:13:16 +08:00 · 2025-11-04 18:13:16 +08:00 · 44297955d1
parent 8ccdc1bfc8
commit 44297955d1
1 changed files with 18 additions and 9 deletions
--- a/check-sftp-user.sh
+++ b/check-sftp-user.sh
@ -58,19 +58,26 @@ echo

 echo "=== 2. USER GROUPS CHECK ==="
 if id "$USERNAME" &>/dev/null; then
-    GROUPS=$(id -Gn "$USERNAME")
-    if echo "$GROUPS" | grep -q "sftpusers"; then
+    GROUPS=$(id -Gn "$USERNAME" 2>/dev/null)
+    GROUPS_LIST="$GROUPS"
+    
+    # Debug: Show actual groups
+    echo "  All groups: $GROUPS_LIST"
+    
+    # Check for sftpusers or sshusers group
+    if echo "$GROUPS_LIST" | grep -qw "sftpusers"; then
        print_status "OK" "User is in sftpusers group (SFTP-only access)"
-    elif echo "$GROUPS" | grep -q "sshusers"; then
+    elif echo "$GROUPS_LIST" | grep -qw "sshusers"; then
        print_status "OK" "User is in sshusers group (SSH+SFTP access)"
    else
        print_status "ERROR" "User is NOT in sftpusers or sshusers group!"
-        echo "  Current groups: $GROUPS"
+        echo "  Current groups: $GROUPS_LIST"
        echo "  Fix: usermod -aG sftpusers $USERNAME (for SFTP-only)"
        echo "  Fix: usermod -aG sshusers $USERNAME (for SSH+SFTP)"
    fi
    
-    if echo "$GROUPS" | grep -q "litespeed"; then
+    # Check for litespeed group
+    if echo "$GROUPS_LIST" | grep -qw "litespeed"; then
        print_status "OK" "User is in litespeed group"
    else
        print_status "WARNING" "User is NOT in litespeed group (may affect file access)"
@ -301,20 +308,22 @@ echo
 echo "=== 9. AUTHENTICATION TEST (SIMULATED) ==="
 if id "$USERNAME" &>/dev/null; then
    USER_SHELL=$(getent passwd $USERNAME | cut -d: -f7)
+    AUTH_GROUPS=$(id -Gn "$USERNAME" 2>/dev/null)
+    
    if [ "$USER_SHELL" = "/sbin/nologin" ]; then
-        GROUPS=$(id -Gn "$USERNAME")
-        if echo "$GROUPS" | grep -q "sftpusers"; then
+        if echo "$AUTH_GROUPS" | grep -qw "sftpusers"; then
            print_status "OK" "User configured for SFTP-only (nologin shell + sftpusers group)"
            echo "  Note: This user can ONLY use SFTP, not SSH shell access"
        else
            print_status "ERROR" "User has nologin shell but NOT in sftpusers group!"
+            echo "  Current groups: $AUTH_GROUPS"
        fi
    elif [ "$USER_SHELL" = "/bin/bash" ] || [ "$USER_SHELL" = "/bin/sh" ]; then
-        GROUPS=$(id -Gn "$USERNAME")
-        if echo "$GROUPS" | grep -q "sshusers"; then
+        if echo "$AUTH_GROUPS" | grep -qw "sshusers"; then
            print_status "OK" "User configured for SSH+SFTP (bash shell + sshusers group)"
        else
            print_status "ERROR" "User has bash shell but NOT in sshusers group!"
+            echo "  Current groups: $AUTH_GROUPS"
            echo "  Fix: usermod -aG sshusers $USERNAME"
        fi
    else