Revised fixes on ssh

add-sftp.sh

@@ -119,18 +119,25 @@ if [ ! -d "/home/sftpusers" ]; then
 fi
 log_success "Directory setup completed"
 
+# Determine shell path
+if [ "$SSH_ENABLED" = "true" ]; then
+    USER_SHELL="/shell/bin/bash"
+else
+    USER_SHELL="/sbin/nologin"
+fi
+
 # Create the user account
 log "Phase 6: Creating user account"
 if [ "$SSH_ENABLED" = "true" ]; then
     log "Creating user with SSH access"
-    if ! log_cmd "useradd -d $USER_HOME -m -s /bin/bash $USERNAME" "Creating user with bash shell"; then
+    if ! log_cmd "useradd -d $USER_HOME -m -s $USER_SHELL $USERNAME" "Creating user with SSH shell inside jail"; then
         log_error "Failed to create user account with SSH access"
         echo "ERROR: Failed to create user account with SSH access" >&2
         exit 1
     fi
 else
     log "Creating user with SFTP-only access"
-    if ! log_cmd "useradd -d $USER_HOME -m -s /sbin/nologin $USERNAME" "Creating user with nologin shell"; then
+    if ! log_cmd "useradd -d $USER_HOME -m -s $USER_SHELL $USERNAME" "Creating user with nologin shell"; then
         log_error "Failed to create user account with SFTP-only access"
         echo "ERROR: Failed to create user account with SFTP-only access" >&2
         exit 1

manifest.jps

@@ -335,6 +335,18 @@ actions:
             sed -i "\|/home/sftpusers/${settings.manage_username}/data/ROOT|d" /etc/fstab
           fi
           
+          # Unmount shell template if mounted
+          if mount | grep -q "/home/sftpusers/${settings.manage_username}/shell"; then
+            log "Unmounting shell bind mount for user: ${settings.manage_username}"
+            umount /home/sftpusers/${settings.manage_username}/shell
+          fi
+          
+          # Remove shell mount from fstab
+          if grep -q "/home/sftpusers/${settings.manage_username}/shell" /etc/fstab; then
+            log "Removing shell bind mount from fstab for user: ${settings.manage_username}"
+            sed -i "\|/home/sftpusers/${settings.manage_username}/shell|d" /etc/fstab
+          fi
+
           # Delete user account
           if userdel ${settings.manage_username}; then
             log_success "User account deleted: ${settings.manage_username}"

scripts/system_prep.sh

@@ -101,6 +101,24 @@ EOF
     log_cmd "chown root:root /home/sftpusers" "Setting /home/sftpusers ownership to root:root"
     log_cmd "chmod 755 /home/sftpusers" "Setting /home/sftpusers permissions to 755"
 
+    # --------------------------------------------------------------------------
+    # Step 5: Build read-only shell template for jailed SSH users
+    # --------------------------------------------------------------------------
+    local shell_tmpl="/home/sftp-shell"
+    if [ ! -x "$shell_tmpl/bin/bash" ]; then
+        log "Creating minimal shell environment at $shell_tmpl"
+        log_cmd "mkdir -p $shell_tmpl/bin $shell_tmpl/lib64" "Creating template directories"
+        log_cmd "cp /bin/bash $shell_tmpl/bin/" "Copying bash binary"
+        # Copy required shared libraries for bash
+        for lib in $(ldd /bin/bash | awk '{print $3}' | grep -E '^/'); do
+            log_cmd "cp --dereference $lib $shell_tmpl/lib64/" "Copying $(basename $lib)"
+        done
+        log_cmd "chmod -R 755 $shell_tmpl" "Setting permissions on shell template"
+        log_success "Shell template created for jailed SSH users"
+    else
+        log_debug "Shell template already exists, skipping rebuild."
+    fi
+
     log_success "System preparation complete."
     return 0
 }