From 93b2a8617aff4b3ad51c616cb85b33755ca3e259 Mon Sep 17 00:00:00 2001 From: Serghey Rodin Date: Fri, 18 Sep 2015 17:42:48 +0300 Subject: [PATCH] Jailed SFTP via OpenSSH --- bin/v-add-sys-sftp-jail | 106 ++++++++++++++++++++++++++++++++++++ bin/v-add-user | 5 ++ bin/v-add-user-sftp-jail | 66 ++++++++++++++++++++++ bin/v-add-web-domain-ftp | 5 ++ bin/v-change-user-shell | 5 ++ bin/v-delete-sys-sftp-jail | 89 ++++++++++++++++++++++++++++++ bin/v-delete-user-sftp-jail | 63 +++++++++++++++++++++ bin/v-delete-web-domain-ftp | 5 ++ 8 files changed, 344 insertions(+) create mode 100755 bin/v-add-sys-sftp-jail create mode 100755 bin/v-add-user-sftp-jail create mode 100755 bin/v-delete-sys-sftp-jail create mode 100755 bin/v-delete-user-sftp-jail diff --git a/bin/v-add-sys-sftp-jail b/bin/v-add-sys-sftp-jail new file mode 100755 index 00000000..1a207efc --- /dev/null +++ b/bin/v-add-sys-sftp-jail @@ -0,0 +1,106 @@ +#!/bin/bash +# info: add system sftp jail +# opions: NONE +# +# The script enables sftp jailed environment + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Importing system enviroment as we run this script +# mostly by cron wich do not read it by itself +source /etc/profile + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +if [ -z "$SFTPJAIL_KEY" ]; then + exit +fi + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Checking sshd directives +config='/etc/ssh/sshd_config' +sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep -v ":#") +sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#") + +# Disabling normal sftp +if [ ! -z "$sftp_n" ]; then + fline=$(echo $sftp_n |cut -f 1 -d :) + sed -i "${fline}s/Subsystem.*sftp/#Subsystem sftp/" $config + restart='yes' +fi + +# Enabling jailed sftp +if [ -z "$sftp_i" ]; then + echo "Subsystem sftp internal-sftp" >> $config + echo "Match Group sftp-only" >> $config + echo "ChrootDirectory /chroot/%u" >> $config + echo " AllowTCPForwarding no" >> $config + echo " X11Forwarding no" >> $config + echo " ForceCommand internal-sftp" >> $config + restart='yes' +fi + +# Validating opensshd config +if [ "$restart" = 'yes' ]; then + subj="OpenSSH restart failed" + email=$(grep CONTACT $VESTA/data/users/admin/user.conf |cut -f 2 -d \') + send_mail="$VESTA/web/inc/mail-wrapper.php" + /usr/sbin/sshd -t >/dev/null 2>&1 + if [ "$?" -ne 0 ]; then + mail_text="OpenSSH can not be restarted. Please check config: + \n\n$(/usr/sbin/sshd -t)" + echo -e "$mail_text" | $send_mail -s "$subj" $email + else + service ssh restart >/dev/null 2>&1 + service sshd restart >/dev/null 2>&1 + fi +fi + +# Adding sftp group +groupadd sftp-only 2>/dev/null + +# Checking users +shells="rssh|nologin" +for user in $(grep "$HOMEDIR" /etc/passwd |egrep "$shells" |cut -f 1 -d:); do + $BIN/v-add-user-sftp-jail $user +done + +# Adding v-add-sys-sftp-jail to startup +if [ -e "/etc/rc.local" ]; then + check_sftp=$(grep $0 /etc/rc.local) + check_exit=$(grep ^exit /etc/rc.local) + if [ -z "$check_sftp" ]; then + if [ -z "$check_exit" ]; then + echo "$BIN/v-add-sys-sftp-jail" >> /etc/rc.local + else + sed -i "s|^exit|$BIN/v-add-sys-sftp-jail\nexit|" /etc/rc.local + fi + fi + chmod +x /etc/rc.local +else + echo "$BIN/v-add-sys-sftp-jail" > /etc/rc.local + chmod +x /etc/rc.local +fi + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$EVENT" + +exit diff --git a/bin/v-add-user b/bin/v-add-user index 09367c62..568d7bbe 100755 --- a/bin/v-add-user +++ b/bin/v-add-user @@ -207,6 +207,11 @@ if [ -x "$VESTA/data/packages/$package.sh" ]; then $VESTA/data/packages/$package.sh "$user" "$email" "$fname" "$lname" fi +# Adding jailed sftp env +if [ ! -z "$SFTPJAIL_KEY" ]; then + $BIN/v-add-user-sftp-jail $user +fi + # Logging log_history "added system user $user" '' 'admin' log_event "$OK" "$EVENT" diff --git a/bin/v-add-user-sftp-jail b/bin/v-add-user-sftp-jail new file mode 100755 index 00000000..6d0b87e8 --- /dev/null +++ b/bin/v-add-user-sftp-jail @@ -0,0 +1,66 @@ +#!/bin/bash +# info: add user sftp jail +# opions: USER +# +# The script enables sftp jailed environment + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument defenition +user=$1 + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'USER' +validate_format 'user' +if [ -z "$SFTPJAIL_KEY" ]; then + exit +fi +user_str=$(grep "^$user:" /etc/passwd |egrep "rssh|nologin") +if [ -z "$user_str" ]; then + exit +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Defining user homedir +home="$(echo $user_str |cut -f 6 -d :)" + +# Adding chroot directory +if [ ! -d "/chroot/$user/$home" ]; then + mkdir -p /chroot/$user/$home + chmod 750 /chroot/$user + chmod 775 /chroot/$user/$home + chown root:sftp-only /chroot/$user + chown $user:sftp-only /chroot/$user/$home +fi + +# Adding user to sftp group +usermod -a -G sftp-only $user + +# Mouting home directory +if [ -z "$(mount |grep $home)" ]; then + mount -o bind $home /chroot/$user/$home/ +fi + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +#log_event "$OK" "$EVENT" + +exit diff --git a/bin/v-add-web-domain-ftp b/bin/v-add-web-domain-ftp index 5626e7ac..1eaace85 100755 --- a/bin/v-add-web-domain-ftp +++ b/bin/v-add-web-domain-ftp @@ -94,6 +94,11 @@ fi echo "$ftp_user:$password" | /usr/sbin/chpasswd ftp_md5=$(awk -v user=$ftp_user -F : 'user == $1 {print $2}' /etc/shadow) +# Adding jailed sftp env +if [ ! -z "$SFTPJAIL_KEY" ]; then + $BIN/v-add-user-sftp-jail $ftp_user +fi + #----------------------------------------------------------# # Vesta # diff --git a/bin/v-change-user-shell b/bin/v-change-user-shell index f533d43c..513e5524 100755 --- a/bin/v-change-user-shell +++ b/bin/v-change-user-shell @@ -39,6 +39,11 @@ shell_path=$(grep -w "$shell" /etc/shells | head -n1) /usr/bin/chsh -s "$shell_path" "$user" &>/dev/null shell=$(basename $shell_path) +# Adding jailed sftp env +if [ ! -z "$SFTPJAIL_KEY" ]; then + $BIN/v-add-user-sftp-jail $user +fi + #----------------------------------------------------------# # Vesta # diff --git a/bin/v-delete-sys-sftp-jail b/bin/v-delete-sys-sftp-jail new file mode 100755 index 00000000..ef4292ef --- /dev/null +++ b/bin/v-delete-sys-sftp-jail @@ -0,0 +1,89 @@ +#!/bin/bash +# info: delete system sftp jail +# opions: NONE +# +# The script enables sftp jailed environment + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Importing system enviroment as we run this script +# mostly by cron wich do not read it by itself +source /etc/profile + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +if [ -z "$SFTPJAIL_KEY" ]; then + exit +fi + + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Checking users +for user in $(grep "$HOMEDIR" /etc/passwd |cut -f 1 -d:); do + $BIN/v-delete-user-sftp-jail $user +done + +# Checking sshd directives +config='/etc/ssh/sshd_config' +sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep ":#") +sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#") + +# Backing up config +cp $config $config.bak-$(date +%s) + +# Enabling normal sftp +if [ ! -z "$sftp_n" ]; then + fline=$(echo $sftp_n |cut -f 1 -d :) + sed -i "${fline}s/#Subsystem/Subsystem sftp/" $config + restart='yes' +fi + +# Disabling jailed sftp +if [ ! -z "$sftp_i" ]; then + fline=$(echo $sftp_i |cut -f 1 -d :) + lline=$((fline + 5)) + sed -i "${fline},${lline}d" $config + restart='yes' +fi + +# Validating opensshd config +if [ "$restart" = 'yes' ]; then + subj="OpenSSH restart failed" + email=$(grep CONTACT $VESTA/data/users/admin/user.conf |cut -f 2 -d \') + send_mail="$VESTA/web/inc/mail-wrapper.php" + /usr/sbin/sshd -t >/dev/null 2>&1 + if [ "$?" -ne 0 ]; then + mail_text="OpenSSH can not be restarted. Please check config: + \n\n$(/usr/sbin/sshd -t)" + echo -e "$mail_text" | $send_mail -s "$subj" $email + else + service ssh restart >/dev/null 2>&1 + service sshd restart >/dev/null 2>&1 + fi +fi + +# Deleting v-add-sys-sftp-jail from startup +sed -i "/v-add-sys-sftp-jail/d" /etc/rc.local 2>/dev/null + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +log_event "$OK" "$EVENT" + +exit diff --git a/bin/v-delete-user-sftp-jail b/bin/v-delete-user-sftp-jail new file mode 100755 index 00000000..49ff07e8 --- /dev/null +++ b/bin/v-delete-user-sftp-jail @@ -0,0 +1,63 @@ +#!/bin/bash +# info: delete user sftp jail +# opions: USER +# +# The script enables sftp jailed environment + + +#----------------------------------------------------------# +# Variable&Function # +#----------------------------------------------------------# + +# Argument defenition +user=$1 + +# Includes +source $VESTA/func/main.sh +source $VESTA/conf/vesta.conf + + +#----------------------------------------------------------# +# Verifications # +#----------------------------------------------------------# + +check_args '1' "$#" 'USER' +validate_format 'user' +user_str=$(grep "^$user:" /etc/passwd) +if [ -z "$user_str" ]; then + exit +fi + +#----------------------------------------------------------# +# Action # +#----------------------------------------------------------# + +# Defining user homedir +home="$(echo $user_str |cut -f 6 -d :)" + +# Unmounting home directory +mount_dir=$(mount |grep /chroot/$user/ |awk '{print $3}') +if [ ! -z "$mount_dir" ]; then + umount -f $mount_dir 2>/dev/null + if [ $? -ne 0 ]; then + gpasswd -d $user sftp-only >/dev/null 2>&1 + exit 1 + fi +fi + +# Deleting chroot dir +rmdir $mount_dir 2>/dev/null +rm -rf /chroot/$user + +# Deleting user from sftp group +gpasswd -d $user sftp-only >/dev/null 2>&1 + + +#----------------------------------------------------------# +# Vesta # +#----------------------------------------------------------# + +# Logging +#log_event "$OK" "$EVENT" + +exit diff --git a/bin/v-delete-web-domain-ftp b/bin/v-delete-web-domain-ftp index 01b8ac47..4d9e9feb 100755 --- a/bin/v-delete-web-domain-ftp +++ b/bin/v-delete-web-domain-ftp @@ -51,6 +51,11 @@ if [ "$?" != 0 ]; then sed -i "/^$ftp_user:/d" /etc/shadow fi +# Deleting sftp jail +if [ ! -z "$SFTPJAIL_KEY" ]; then + $BINv-delete-user-sftp-jail $ftp_user +fi + #----------------------------------------------------------# # Vesta #