Added more security

add-sftp.sh

@@ -1,8 +1,20 @@
 #!/bin/bash
 
 LOG_FILE="/home/jelastic/add-sftp-user-addon/logs/script_output.log"
+VERBOSE=1  # Set to 1 for verbose mode, 0 for normal mode
 
-echo "Script started" >> $LOG_FILE
+log() {
+    local timestamp=$(date +"%Y-%m-%d %H:%M:%S")
+    echo "$timestamp - $1" >> $LOG_FILE
+    if [ "$VERBOSE" -eq 1 ]; then
+        echo "$timestamp - $1"
+    fi
+}
+
+error_exit() {
+    log "ERROR: $1"
+    exit 1
+}
 
 # Generate random username and password
 USERNAME=$1
@@ -12,58 +24,64 @@ PASSWORD=$2
 USER_HOME="/home/$USERNAME"
 # The shared directory
 ROOT_DIRECTORY="/var/www/webroot/ROOT"
-# Get the group ownership of the ROOT_DIRECTORY
+
-ROOT_GROUP=$(stat -c '%G' $ROOT_DIRECTORY)
+log "Script started"
 
 # Ensure the ROOT_DIRECTORY exists
 if [ ! -d "$ROOT_DIRECTORY" ]; then
-    echo "ROOT_DIRECTORY $ROOT_DIRECTORY does not exist." >> $LOG_FILE
+    error_exit "ROOT_DIRECTORY $ROOT_DIRECTORY does not exist."
-    exit 1
 fi
 
+# Get the owner and group of the ROOT_DIRECTORY
+ROOT_OWNER=$(stat -c '%U' $ROOT_DIRECTORY)
+ROOT_GROUP=$(stat -c '%G' $ROOT_DIRECTORY)
+
 # Check if user already exists
 if id "$USERNAME" &>/dev/null; then
-    echo "User $USERNAME already exists." >> $LOG_FILE
+    log "ERROR: User $USERNAME already exists."
-    exit 1
+    exit 3
 fi
 
 # Create user with their own home directory
 useradd -m $USERNAME
 if [ $? -ne 0 ]; then
-    echo "Failed to create user $USERNAME." >> $LOG_FILE
+    error_exit "Failed to create user $USERNAME."
-    exit 1
 fi
 echo "$USERNAME:$PASSWORD" | chpasswd
 
 # Create a symlink in the user's home directory pointing to the shared ROOT_DIRECTORY
 ln -s $ROOT_DIRECTORY $USER_HOME/ROOT
 if [ $? -ne 0 ]; then
-    echo "Failed to create symlink for $USERNAME." >> $LOG_FILE
+    error_exit "Failed to create symlink for $USERNAME."
-    exit 1
 fi
-echo "Symlink created for $USERNAME pointing to $ROOT_DIRECTORY" >> $LOG_FILE
+log "Symlink created for $USERNAME pointing to $ROOT_DIRECTORY"
 
-# Set user's group to the ROOT_GROUP and any other groups as needed (e.g., root)
+# Set user's group to the ROOT_GROUP
-usermod -aG $ROOT_GROUP,root $USERNAME
+usermod -aG $ROOT_GROUP $USERNAME
 if [ $? -ne 0 ]; then
-    echo "Failed to modify groups for $USERNAME." >> $LOG_FILE
+    error_exit "Failed to modify groups for $USERNAME."
-    exit 1
 fi
-echo "$USERNAME added to groups $ROOT_GROUP and root" >> $LOG_FILE
+log "$USERNAME added to group $ROOT_GROUP"
 
 # Check if the user-specific directory already exists
+USER_SPECIFIC_DIR="$ROOT_DIRECTORY/$USERNAME"
 if [ ! -d "$USER_SPECIFIC_DIR" ]; then
     # Create a user-specific directory inside ROOT_DIRECTORY
     mkdir $USER_SPECIFIC_DIR
-    chown $USERNAME:$ROOT_GROUP $USER_SPECIFIC_DIR
-    chmod 750 $USER_SPECIFIC_DIR  # Owner has rwx, group has r-x, others have no permissions
-else
-    echo "User-specific directory $USER_SPECIFIC_DIR already exists." >> $LOG_FILE
 fi
 
+# Adjust permissions and ownership for the user-specific directory
+chown $USERNAME:$ROOT_GROUP $USER_SPECIFIC_DIR
+chmod 750 $USER_SPECIFIC_DIR  # Owner has rwx, group has r-x, others have no permissions
+
+# Adjust permissions and ownership for the ROOT_DIRECTORY
+chown -R :$ROOT_GROUP /var/www/webroot/ROOT/
+find /var/www/webroot/ROOT/ -type d -exec chmod 770 {} \;  # For directories
+find /var/www/webroot/ROOT/ -type f -exec chmod 660 {} \;  # For files
+
 # Set the SetGID bit on ROOT_DIRECTORY
 chmod g+s $ROOT_DIRECTORY
 
 HOSTNAME=$(hostname -f)
-echo "Script completed for user $USERNAME with hostname $HOSTNAME" >> $LOG_FILE
+log "Script completed for user $USERNAME with hostname $HOSTNAME"
 echo "{ \"USERNAME\": \"$USERNAME\", \"PASSWORD\": \"$PASSWORD\" }"