From ca6338613c3bbedf59e3331eeb5bfa01b80f6e4d Mon Sep 17 00:00:00 2001 From: Anthony Date: Wed, 1 Nov 2023 14:42:52 +0800 Subject: [PATCH] Added more security --- add-sftp.sh | 62 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 22 deletions(-) diff --git a/add-sftp.sh b/add-sftp.sh index a9f9bc2..d245aec 100644 --- a/add-sftp.sh +++ b/add-sftp.sh @@ -1,8 +1,20 @@ #!/bin/bash LOG_FILE="/home/jelastic/add-sftp-user-addon/logs/script_output.log" +VERBOSE=1 # Set to 1 for verbose mode, 0 for normal mode -echo "Script started" >> $LOG_FILE +log() { + local timestamp=$(date +"%Y-%m-%d %H:%M:%S") + echo "$timestamp - $1" >> $LOG_FILE + if [ "$VERBOSE" -eq 1 ]; then + echo "$timestamp - $1" + fi +} + +error_exit() { + log "ERROR: $1" + exit 1 +} # Generate random username and password USERNAME=$1 @@ -12,58 +24,64 @@ PASSWORD=$2 USER_HOME="/home/$USERNAME" # The shared directory ROOT_DIRECTORY="/var/www/webroot/ROOT" -# Get the group ownership of the ROOT_DIRECTORY -ROOT_GROUP=$(stat -c '%G' $ROOT_DIRECTORY) + +log "Script started" # Ensure the ROOT_DIRECTORY exists if [ ! -d "$ROOT_DIRECTORY" ]; then - echo "ROOT_DIRECTORY $ROOT_DIRECTORY does not exist." >> $LOG_FILE - exit 1 + error_exit "ROOT_DIRECTORY $ROOT_DIRECTORY does not exist." fi +# Get the owner and group of the ROOT_DIRECTORY +ROOT_OWNER=$(stat -c '%U' $ROOT_DIRECTORY) +ROOT_GROUP=$(stat -c '%G' $ROOT_DIRECTORY) + # Check if user already exists if id "$USERNAME" &>/dev/null; then - echo "User $USERNAME already exists." >> $LOG_FILE - exit 1 + log "ERROR: User $USERNAME already exists." + exit 3 fi # Create user with their own home directory useradd -m $USERNAME if [ $? -ne 0 ]; then - echo "Failed to create user $USERNAME." >> $LOG_FILE - exit 1 + error_exit "Failed to create user $USERNAME." fi echo "$USERNAME:$PASSWORD" | chpasswd # Create a symlink in the user's home directory pointing to the shared ROOT_DIRECTORY ln -s $ROOT_DIRECTORY $USER_HOME/ROOT if [ $? -ne 0 ]; then - echo "Failed to create symlink for $USERNAME." >> $LOG_FILE - exit 1 + error_exit "Failed to create symlink for $USERNAME." fi -echo "Symlink created for $USERNAME pointing to $ROOT_DIRECTORY" >> $LOG_FILE +log "Symlink created for $USERNAME pointing to $ROOT_DIRECTORY" -# Set user's group to the ROOT_GROUP and any other groups as needed (e.g., root) -usermod -aG $ROOT_GROUP,root $USERNAME +# Set user's group to the ROOT_GROUP +usermod -aG $ROOT_GROUP $USERNAME if [ $? -ne 0 ]; then - echo "Failed to modify groups for $USERNAME." >> $LOG_FILE - exit 1 + error_exit "Failed to modify groups for $USERNAME." fi -echo "$USERNAME added to groups $ROOT_GROUP and root" >> $LOG_FILE +log "$USERNAME added to group $ROOT_GROUP" # Check if the user-specific directory already exists +USER_SPECIFIC_DIR="$ROOT_DIRECTORY/$USERNAME" if [ ! -d "$USER_SPECIFIC_DIR" ]; then # Create a user-specific directory inside ROOT_DIRECTORY mkdir $USER_SPECIFIC_DIR - chown $USERNAME:$ROOT_GROUP $USER_SPECIFIC_DIR - chmod 750 $USER_SPECIFIC_DIR # Owner has rwx, group has r-x, others have no permissions -else - echo "User-specific directory $USER_SPECIFIC_DIR already exists." >> $LOG_FILE fi +# Adjust permissions and ownership for the user-specific directory +chown $USERNAME:$ROOT_GROUP $USER_SPECIFIC_DIR +chmod 750 $USER_SPECIFIC_DIR # Owner has rwx, group has r-x, others have no permissions + +# Adjust permissions and ownership for the ROOT_DIRECTORY +chown -R :$ROOT_GROUP /var/www/webroot/ROOT/ +find /var/www/webroot/ROOT/ -type d -exec chmod 770 {} \; # For directories +find /var/www/webroot/ROOT/ -type f -exec chmod 660 {} \; # For files + # Set the SetGID bit on ROOT_DIRECTORY chmod g+s $ROOT_DIRECTORY HOSTNAME=$(hostname -f) -echo "Script completed for user $USERNAME with hostname $HOSTNAME" >> $LOG_FILE +log "Script completed for user $USERNAME with hostname $HOSTNAME" echo "{ \"USERNAME\": \"$USERNAME\", \"PASSWORD\": \"$PASSWORD\" }"