Fix webroot write permissions - ensure ROOT directory has litespeed group ownership and group write permissions

README.md

@@ -1,3 +1,9 @@
+Version 0.7 Changelogs:
+- Fixed critical password setting bug - passwords were not being set due to variable expansion issue in chpasswd command
+- Added automatic webroot permission configuration - ensures /var/www/webroot/ROOT has litespeed group ownership and group write permissions
+- Created comprehensive diagnostic script (check-sftp-user.sh) for troubleshooting user account issues
+- Added detailed troubleshooting guide (TROUBLESHOOTING.md) with diagnostic commands and solutions
+
 Version 0.6 Changelogs:
 - Implemented separate form for deleting users to avoid requiring password input when deleting
 - Fixed SFTP connection "broken pipe" errors by correcting /home directory permissions (root:root with 755)

add-sftp.sh

@@ -217,6 +217,39 @@ fi
 log_cmd "usermod -aG litespeed $USERNAME" "Adding user to litespeed group for file access"
 log_success "Added $USERNAME to litespeed group for file access"
 
+# Ensure webroot has correct group ownership and permissions for write access
+log "Phase 10b: Verifying webroot permissions for group write access"
+if [ -d "$ROOT_DIRECTORY" ]; then
+    # Check if litespeed group exists
+    if getent group litespeed > /dev/null; then
+        # Check current group ownership
+        CURRENT_GROUP=$(stat -c '%G' "$ROOT_DIRECTORY" 2>/dev/null)
+        if [ "$CURRENT_GROUP" != "litespeed" ]; then
+            log "Setting webroot group ownership to litespeed (was: $CURRENT_GROUP)"
+            log_cmd "chgrp -R litespeed $ROOT_DIRECTORY" "Setting webroot group to litespeed"
+        fi
+        
+        # Check if group write permission exists
+        # Group write exists if second digit is 7(rwx), 6(rw-), 3(-wx), or 2(-w-)
+        CURRENT_PERMS=$(stat -c '%a' "$ROOT_DIRECTORY" 2>/dev/null)
+        if [ -n "$CURRENT_PERMS" ]; then
+            # Extract group write bit (second digit)
+            GROUP_WRITE_BIT=$(echo "$CURRENT_PERMS" | cut -c2)
+            # Check if write bit is NOT set (4=r--, 5=r-x, 1=--x, 0=---)
+            if [ "$GROUP_WRITE_BIT" = "4" ] || [ "$GROUP_WRITE_BIT" = "5" ] || [ "$GROUP_WRITE_BIT" = "1" ] || [ "$GROUP_WRITE_BIT" = "0" ]; then
+                log "Adding group write permissions to webroot (current: $CURRENT_PERMS)"
+                log_cmd "chmod -R g+w $ROOT_DIRECTORY" "Adding group write permissions to webroot"
+            else
+                log_debug "Webroot already has group write permissions (current: $CURRENT_PERMS)"
+            fi
+        fi
+    else
+        log_warning "litespeed group does not exist, skipping webroot permission setup"
+    fi
+else
+    log_warning "Webroot directory $ROOT_DIRECTORY does not exist, skipping permission check"
+fi
+
 # Create welcome file
 log "Phase 11: Creating welcome file"
 cat > $USER_HOME/data/welcome.txt << EOF

manifest.jps

@@ -1,4 +1,4 @@
-version: 0.6
+version: 0.7
 id: addsftp
 type: update
 description: An addon to add new SFTP users for Jelastic Virtuozzo LLSMP environments. It manages user accounts with secure SFTP access and optional SSH access with proper chroot jailing.

scripts/system_prep.sh

@@ -106,6 +106,48 @@ EOF
     log_cmd "chown root:root /home/sftpusers" "Setting /home/sftpusers ownership to root:root"
     log_cmd "chmod 755 /home/sftpusers" "Setting /home/sftpusers permissions to 755"
 
+    # --------------------------------------------------------------------------
+    # Step 5: Ensure webroot has correct group ownership and permissions
+    # --------------------------------------------------------------------------
+    local webroot_dir="/var/www/webroot/ROOT"
+    if [ -d "$webroot_dir" ]; then
+        log "Ensuring webroot directory has correct group ownership and permissions..."
+        
+        # Check if litespeed group exists, create if not
+        if ! getent group litespeed > /dev/null; then
+            log "Creating litespeed group"
+            log_cmd "groupadd litespeed" "Creating litespeed group"
+        fi
+        
+        # Check current group ownership
+        local current_group=$(stat -c '%G' "$webroot_dir" 2>/dev/null)
+        if [ "$current_group" != "litespeed" ]; then
+            log "Setting webroot group ownership to litespeed (was: $current_group)"
+            log_cmd "chgrp -R litespeed $webroot_dir" "Setting webroot group to litespeed"
+        else
+            log_debug "Webroot already owned by litespeed group"
+        fi
+        
+        # Check if group write permission exists
+        # Group write exists if second digit is 7(rwx), 6(rw-), 3(-wx), or 2(-w-)
+        local current_perms=$(stat -c '%a' "$webroot_dir" 2>/dev/null)
+        if [ -n "$current_perms" ]; then
+            # Extract group write bit (second digit)
+            local group_write_bit=$(echo "$current_perms" | cut -c2)
+            # Check if write bit is NOT set (4=r--, 5=r-x, 1=--x, 0=---)
+            if [ "$group_write_bit" = "4" ] || [ "$group_write_bit" = "5" ] || [ "$group_write_bit" = "1" ] || [ "$group_write_bit" = "0" ]; then
+                log "Adding group write permissions to webroot (current: $current_perms)"
+                log_cmd "chmod -R g+w $webroot_dir" "Adding group write permissions to webroot"
+            else
+                log_debug "Webroot already has group write permissions (current: $current_perms)"
+            fi
+        fi
+        
+        log_success "Webroot permissions configured for group access"
+    else
+        log_warning "Webroot directory $webroot_dir does not exist, skipping permission setup"
+    fi
+
     log_success "System preparation complete."
     return 0
 }