From f1ce21de2b94e9041e60ef699285577c49e178ce Mon Sep 17 00:00:00 2001
From: Anthony <tony@mightybox.io>
Date: Wed, 30 Jul 2025 01:14:57 +0800
Subject: [PATCH] Final fix for SSH acct creation

---
 add-sftp.sh            | 27 ++-------------------------
 manifest.jps           | 13 -------------
 scripts/system_prep.sh | 28 ++++------------------------
 3 files changed, 6 insertions(+), 62 deletions(-)

diff --git a/add-sftp.sh b/add-sftp.sh
index a82d41b..901bc1d 100644
--- a/add-sftp.sh
+++ b/add-sftp.sh
@@ -121,7 +121,7 @@ log_success "Directory setup completed"
 
 # Determine shell path
 if [ "$SSH_ENABLED" = "true" ]; then
-    USER_SHELL="/shell/bin/bash"
+    USER_SHELL="/bin/bash"
 else
     USER_SHELL="/sbin/nologin"
 fi
@@ -194,30 +194,7 @@ fi
 
 log_success "Created bind mount for webroot access"
 
-# Bind shell, dev, and proc into chroot for SSH users
-if [ "$SSH_ENABLED" = "true" ]; then
-    log "Phase 9.1: Mounting shell/dev/proc into chroot"
-    # 1. shell template
-    if ! mount | grep -q "${USER_HOME}/shell"; then
-        log_cmd "mkdir -p ${USER_HOME}/shell" "Creating shell mount point"
-        log_cmd "mount --bind /home/sftp-shell ${USER_HOME}/shell" "Binding shell template"
-        grep -q "/home/sftp-shell ${USER_HOME}/shell" /etc/fstab || echo "/home/sftp-shell ${USER_HOME}/shell none bind 0 0" >> /etc/fstab
-    fi
-    # 2. dev nodes
-    if ! mount | grep -q "${USER_HOME}/dev"; then
-        log_cmd "mkdir -p ${USER_HOME}/dev" "Creating dev mount point"
-        log_cmd "mount --bind /home/sftp-shell/dev ${USER_HOME}/dev" "Binding dev nodes"
-        grep -q "/home/sftp-shell/dev ${USER_HOME}/dev" /etc/fstab || echo "/home/sftp-shell/dev ${USER_HOME}/dev none bind 0 0" >> /etc/fstab
-    fi
-    # 3. read-only proc
-    if ! mount | grep -q "${USER_HOME}/proc"; then
-        log_cmd "mkdir -p ${USER_HOME}/proc" "Creating proc mount point"
-        log_cmd "mount --bind /proc ${USER_HOME}/proc" "Binding proc"
-        log_cmd "mount -o remount,bind,ro ${USER_HOME}/proc" "Remount proc read-only"
-        grep -q "/proc ${USER_HOME}/proc" /etc/fstab || echo "/proc ${USER_HOME}/proc none bind,ro 0 0" >> /etc/fstab
-    fi
-    log_success "Shell, dev, and proc mounted into chroot"
-fi
+# No additional mounts needed for SSH users (no chroot)
 
 # Add user to the required groups
 log "Phase 10: Adding user to groups"
diff --git a/manifest.jps b/manifest.jps
index 4848c40..964b895 100644
--- a/manifest.jps
+++ b/manifest.jps
@@ -347,19 +347,6 @@ actions:
             sed -i "\|/home/sftpusers/${settings.manage_username}/shell|d" /etc/fstab
           fi
 
-          # Unmount dev and proc
-          if mount | grep -q "/home/sftpusers/${settings.manage_username}/dev"; then
-            log "Unmounting dev bind mount for user: ${settings.manage_username}"
-            umount /home/sftpusers/${settings.manage_username}/dev
-          fi
-          if mount | grep -q "/home/sftpusers/${settings.manage_username}/proc"; then
-            log "Unmounting proc bind mount for user: ${settings.manage_username}"
-            umount /home/sftpusers/${settings.manage_username}/proc
-          fi
-          # Remove from fstab
-          sed -i "\|/home/sftpusers/${settings.manage_username}/dev|d" /etc/fstab
-          sed -i "\|/home/sftpusers/${settings.manage_username}/proc|d" /etc/fstab
-
           # Delete user account
           if userdel ${settings.manage_username}; then
             log_success "User account deleted: ${settings.manage_username}"
diff --git a/scripts/system_prep.sh b/scripts/system_prep.sh
index a1834bd..308c1e9 100644
--- a/scripts/system_prep.sh
+++ b/scripts/system_prep.sh
@@ -58,9 +58,9 @@ prepare_sftp_system() {
     log "Creating dedicated SSH configuration at $addon_config_file..."
 
     echo "Subsystem sftp internal-sftp" > "$addon_config_file"
-    # This configuration uses a two-group system:
-    # 1. 'sftpusers': SFTP-only, forced into SFTP mode.
-    # 2. 'sshusers': SFTP + SSH, allowed a real shell but still chrooted.
+    # Group-based policy:
+    #  - sftpusers : SFTP-only, jailed
+    #  - sshusers  : full SSH + SFTP, NOT chrooted (still jailed by Linux user perms)
     cat >> "$addon_config_file" << EOF
 # Configuration managed by SFTP-Addon - DO NOT EDIT MANUALLY
 
@@ -73,10 +73,8 @@ Match Group sftpusers
     AllowTcpForwarding no
     X11Forwarding no
 
-# --- SSH & SFTP USERS ---
-# Users in this group can get a real SSH shell but are jailed to their home.
+# --- SSH & SFTP USERS (no chroot) ---
 Match Group sshusers
-    ChrootDirectory /home/sftpusers/%u
     PasswordAuthentication yes
     AllowTcpForwarding no
     X11Forwarding no
@@ -108,24 +106,6 @@ EOF
     log_cmd "chown root:root /home/sftpusers" "Setting /home/sftpusers ownership to root:root"
     log_cmd "chmod 755 /home/sftpusers" "Setting /home/sftpusers permissions to 755"
 
-    # --------------------------------------------------------------------------
-    # Step 5: Build read-only shell template for jailed SSH users
-    # --------------------------------------------------------------------------
-    local shell_tmpl="/home/sftp-shell"
-    if [ ! -x "$shell_tmpl/bin/bash" ]; then
-        log "Creating minimal shell environment at $shell_tmpl"
-        log_cmd "mkdir -p $shell_tmpl/bin $shell_tmpl/lib64" "Creating template directories"
-        log_cmd "cp /bin/bash $shell_tmpl/bin/" "Copying bash binary"
-        # Copy required shared libraries for bash
-        for lib in $(ldd /bin/bash | awk '{print $3}' | grep -E '^/'); do
-            log_cmd "cp --dereference $lib $shell_tmpl/lib64/" "Copying $(basename $lib)"
-        done
-        log_cmd "chmod -R 755 $shell_tmpl" "Setting permissions on shell template"
-        log_success "Shell template created for jailed SSH users"
-    else
-        log_debug "Shell template already exists, skipping rebuild."
-    fi
-
     log_success "System preparation complete."
     return 0
 } 
\ No newline at end of file