addons
/
add-sftp-user
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Final fix for SSH acct creation

main
Anthony 2025-07-30 01:14:57 +08:00
parent 1da4c51461
commit f1ce21de2b
3 changed files with 6 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
add-sftp.sh
View File

@ -121,7 +121,7 @@ log_success "Directory setup completed"
# Determine shell path # Determine shell path
if [ "$SSH_ENABLED" = "true" ]; then if [ "$SSH_ENABLED" = "true" ]; then
USER_SHELL="/shell/bin/bash" USER_SHELL="/bin/bash"
else else
USER_SHELL="/sbin/nologin" USER_SHELL="/sbin/nologin"
fi fi
@ -194,30 +194,7 @@ fi
log_success "Created bind mount for webroot access" log_success "Created bind mount for webroot access"
# Bind shell, dev, and proc into chroot for SSH users # No additional mounts needed for SSH users (no chroot)
if [ "$SSH_ENABLED" = "true" ]; then
log "Phase 9.1: Mounting shell/dev/proc into chroot"
# 1. shell template
if ! mount | grep -q "${USER_HOME}/shell"; then
log_cmd "mkdir -p ${USER_HOME}/shell" "Creating shell mount point"
log_cmd "mount --bind /home/sftp-shell ${USER_HOME}/shell" "Binding shell template"
grep -q "/home/sftp-shell ${USER_HOME}/shell" /etc/fstab || echo "/home/sftp-shell ${USER_HOME}/shell none bind 0 0" >> /etc/fstab
fi
# 2. dev nodes
if ! mount | grep -q "${USER_HOME}/dev"; then
log_cmd "mkdir -p ${USER_HOME}/dev" "Creating dev mount point"
log_cmd "mount --bind /home/sftp-shell/dev ${USER_HOME}/dev" "Binding dev nodes"
grep -q "/home/sftp-shell/dev ${USER_HOME}/dev" /etc/fstab || echo "/home/sftp-shell/dev ${USER_HOME}/dev none bind 0 0" >> /etc/fstab
fi
# 3. read-only proc
if ! mount | grep -q "${USER_HOME}/proc"; then
log_cmd "mkdir -p ${USER_HOME}/proc" "Creating proc mount point"
log_cmd "mount --bind /proc ${USER_HOME}/proc" "Binding proc"
log_cmd "mount -o remount,bind,ro ${USER_HOME}/proc" "Remount proc read-only"
grep -q "/proc ${USER_HOME}/proc" /etc/fstab || echo "/proc ${USER_HOME}/proc none bind,ro 0 0" >> /etc/fstab
fi
log_success "Shell, dev, and proc mounted into chroot"
fi
# Add user to the required groups # Add user to the required groups
log "Phase 10: Adding user to groups" log "Phase 10: Adding user to groups"

13
manifest.jps
View File

@ -347,19 +347,6 @@ actions:
sed -i "\|/home/sftpusers/${settings.manage_username}/shell|d" /etc/fstab sed -i "\|/home/sftpusers/${settings.manage_username}/shell|d" /etc/fstab
fi fi
# Unmount dev and proc
if mount | grep -q "/home/sftpusers/${settings.manage_username}/dev"; then
log "Unmounting dev bind mount for user: ${settings.manage_username}"
umount /home/sftpusers/${settings.manage_username}/dev
fi
if mount | grep -q "/home/sftpusers/${settings.manage_username}/proc"; then
log "Unmounting proc bind mount for user: ${settings.manage_username}"
umount /home/sftpusers/${settings.manage_username}/proc
fi
# Remove from fstab
sed -i "\|/home/sftpusers/${settings.manage_username}/dev|d" /etc/fstab
sed -i "\|/home/sftpusers/${settings.manage_username}/proc|d" /etc/fstab
# Delete user account # Delete user account
if userdel ${settings.manage_username}; then if userdel ${settings.manage_username}; then
log_success "User account deleted: ${settings.manage_username}" log_success "User account deleted: ${settings.manage_username}"

28
scripts/system_prep.sh
View File

@ -58,9 +58,9 @@ prepare_sftp_system() {
log "Creating dedicated SSH configuration at $addon_config_file..." log "Creating dedicated SSH configuration at $addon_config_file..."
echo "Subsystem sftp internal-sftp" > "$addon_config_file" echo "Subsystem sftp internal-sftp" > "$addon_config_file"
# This configuration uses a two-group system: # Group-based policy:
# 1. 'sftpusers': SFTP-only, forced into SFTP mode. # - sftpusers : SFTP-only, jailed
# 2. 'sshusers': SFTP + SSH, allowed a real shell but still chrooted. # - sshusers : full SSH + SFTP, NOT chrooted (still jailed by Linux user perms)
cat >> "$addon_config_file" << EOF cat >> "$addon_config_file" << EOF
# Configuration managed by SFTP-Addon - DO NOT EDIT MANUALLY # Configuration managed by SFTP-Addon - DO NOT EDIT MANUALLY
@ -73,10 +73,8 @@ Match Group sftpusers
AllowTcpForwarding no AllowTcpForwarding no
X11Forwarding no X11Forwarding no
# --- SSH & SFTP USERS --- # --- SSH & SFTP USERS (no chroot) ---
# Users in this group can get a real SSH shell but are jailed to their home.
Match Group sshusers Match Group sshusers
ChrootDirectory /home/sftpusers/%u
PasswordAuthentication yes PasswordAuthentication yes
AllowTcpForwarding no AllowTcpForwarding no
X11Forwarding no X11Forwarding no
@ -108,24 +106,6 @@ EOF
log_cmd "chown root:root /home/sftpusers" "Setting /home/sftpusers ownership to root:root" log_cmd "chown root:root /home/sftpusers" "Setting /home/sftpusers ownership to root:root"
log_cmd "chmod 755 /home/sftpusers" "Setting /home/sftpusers permissions to 755" log_cmd "chmod 755 /home/sftpusers" "Setting /home/sftpusers permissions to 755"
# --------------------------------------------------------------------------
# Step 5: Build read-only shell template for jailed SSH users
# --------------------------------------------------------------------------
local shell_tmpl="/home/sftp-shell"
if [ ! -x "$shell_tmpl/bin/bash" ]; then
log "Creating minimal shell environment at $shell_tmpl"
log_cmd "mkdir -p $shell_tmpl/bin $shell_tmpl/lib64" "Creating template directories"
log_cmd "cp /bin/bash $shell_tmpl/bin/" "Copying bash binary"
# Copy required shared libraries for bash
for lib in $(ldd /bin/bash | awk '{print $3}' | grep -E '^/'); do
log_cmd "cp --dereference $lib $shell_tmpl/lib64/" "Copying $(basename $lib)"
done
log_cmd "chmod -R 755 $shell_tmpl" "Setting permissions on shell template"
log_success "Shell template created for jailed SSH users"
else
log_debug "Shell template already exists, skipping rebuild."
fi
log_success "System preparation complete." log_success "System preparation complete."
return 0 return 0
} }