From 7dc59911edb780ca66bee905a7904b57873b8ebd Mon Sep 17 00:00:00 2001 From: Anthony Date: Wed, 30 Jul 2025 00:47:55 +0800 Subject: [PATCH] Revised fixes on ssh --- add-sftp.sh | 11 +++++++++-- manifest.jps | 12 ++++++++++++ scripts/system_prep.sh | 18 ++++++++++++++++++ 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/add-sftp.sh b/add-sftp.sh index 969bd93..018e840 100644 --- a/add-sftp.sh +++ b/add-sftp.sh @@ -119,18 +119,25 @@ if [ ! -d "/home/sftpusers" ]; then fi log_success "Directory setup completed" +# Determine shell path +if [ "$SSH_ENABLED" = "true" ]; then + USER_SHELL="/shell/bin/bash" +else + USER_SHELL="/sbin/nologin" +fi + # Create the user account log "Phase 6: Creating user account" if [ "$SSH_ENABLED" = "true" ]; then log "Creating user with SSH access" - if ! log_cmd "useradd -d $USER_HOME -m -s /bin/bash $USERNAME" "Creating user with bash shell"; then + if ! log_cmd "useradd -d $USER_HOME -m -s $USER_SHELL $USERNAME" "Creating user with SSH shell inside jail"; then log_error "Failed to create user account with SSH access" echo "ERROR: Failed to create user account with SSH access" >&2 exit 1 fi else log "Creating user with SFTP-only access" - if ! log_cmd "useradd -d $USER_HOME -m -s /sbin/nologin $USERNAME" "Creating user with nologin shell"; then + if ! log_cmd "useradd -d $USER_HOME -m -s $USER_SHELL $USERNAME" "Creating user with nologin shell"; then log_error "Failed to create user account with SFTP-only access" echo "ERROR: Failed to create user account with SFTP-only access" >&2 exit 1 diff --git a/manifest.jps b/manifest.jps index 6ab0846..964b895 100644 --- a/manifest.jps +++ b/manifest.jps @@ -335,6 +335,18 @@ actions: sed -i "\|/home/sftpusers/${settings.manage_username}/data/ROOT|d" /etc/fstab fi + # Unmount shell template if mounted + if mount | grep -q "/home/sftpusers/${settings.manage_username}/shell"; then + log "Unmounting shell bind mount for user: ${settings.manage_username}" + umount /home/sftpusers/${settings.manage_username}/shell + fi + + # Remove shell mount from fstab + if grep -q "/home/sftpusers/${settings.manage_username}/shell" /etc/fstab; then + log "Removing shell bind mount from fstab for user: ${settings.manage_username}" + sed -i "\|/home/sftpusers/${settings.manage_username}/shell|d" /etc/fstab + fi + # Delete user account if userdel ${settings.manage_username}; then log_success "User account deleted: ${settings.manage_username}" diff --git a/scripts/system_prep.sh b/scripts/system_prep.sh index b4da313..1ae6803 100644 --- a/scripts/system_prep.sh +++ b/scripts/system_prep.sh @@ -101,6 +101,24 @@ EOF log_cmd "chown root:root /home/sftpusers" "Setting /home/sftpusers ownership to root:root" log_cmd "chmod 755 /home/sftpusers" "Setting /home/sftpusers permissions to 755" + # -------------------------------------------------------------------------- + # Step 5: Build read-only shell template for jailed SSH users + # -------------------------------------------------------------------------- + local shell_tmpl="/home/sftp-shell" + if [ ! -x "$shell_tmpl/bin/bash" ]; then + log "Creating minimal shell environment at $shell_tmpl" + log_cmd "mkdir -p $shell_tmpl/bin $shell_tmpl/lib64" "Creating template directories" + log_cmd "cp /bin/bash $shell_tmpl/bin/" "Copying bash binary" + # Copy required shared libraries for bash + for lib in $(ldd /bin/bash | awk '{print $3}' | grep -E '^/'); do + log_cmd "cp --dereference $lib $shell_tmpl/lib64/" "Copying $(basename $lib)" + done + log_cmd "chmod -R 755 $shell_tmpl" "Setting permissions on shell template" + log_success "Shell template created for jailed SSH users" + else + log_debug "Shell template already exists, skipping rebuild." + fi + log_success "System preparation complete." return 0 } \ No newline at end of file