github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-19 13:01:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Jailed SFTP via OpenSSH

Browse source
This commit is contained in:
Serghey Rodin 2015-09-18 17:42:48 +03:00
commit 93b2a8617a
8 changed files with 344 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

106
bin/v-add-sys-sftp-jail Executable file
View file

@ -0,0 +1,106 @@
#!/bin/bash
# info: add system sftp jail
# opions: NONE
#
# The script enables sftp jailed environment
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Importing system enviroment as we run this script
# mostly by cron wich do not read it by itself
source /etc/profile
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
if [ -z "$SFTPJAIL_KEY" ]; then
exit
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Checking sshd directives
config='/etc/ssh/sshd_config'
sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep -v ":#")
sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#")
# Disabling normal sftp
if [ ! -z "$sftp_n" ]; then
fline=$(echo $sftp_n |cut -f 1 -d :)
sed -i "${fline}s/Subsystem.*sftp/#Subsystem sftp/" $config
restart='yes'
fi
# Enabling jailed sftp
if [ -z "$sftp_i" ]; then
echo "Subsystem sftp internal-sftp" >> $config
echo "Match Group sftp-only" >> $config
echo "ChrootDirectory /chroot/%u" >> $config
echo " AllowTCPForwarding no" >> $config
echo " X11Forwarding no" >> $config
echo " ForceCommand internal-sftp" >> $config
restart='yes'
fi
# Validating opensshd config
if [ "$restart" = 'yes' ]; then
subj="OpenSSH restart failed"
email=$(grep CONTACT $VESTA/data/users/admin/user.conf |cut -f 2 -d \')
send_mail="$VESTA/web/inc/mail-wrapper.php"
/usr/sbin/sshd -t >/dev/null 2>&1
if [ "$?" -ne 0 ]; then
mail_text="OpenSSH can not be restarted. Please check config:
\n\n$(/usr/sbin/sshd -t)"
echo -e "$mail_text" | $send_mail -s "$subj" $email
else
service ssh restart >/dev/null 2>&1
service sshd restart >/dev/null 2>&1
fi
fi
# Adding sftp group
groupadd sftp-only 2>/dev/null
# Checking users
shells="rssh|nologin"
for user in $(grep "$HOMEDIR" /etc/passwd |egrep "$shells" |cut -f 1 -d:); do
$BIN/v-add-user-sftp-jail $user
done
# Adding v-add-sys-sftp-jail to startup
if [ -e "/etc/rc.local" ]; then
check_sftp=$(grep $0 /etc/rc.local)
check_exit=$(grep ^exit /etc/rc.local)
if [ -z "$check_sftp" ]; then
if [ -z "$check_exit" ]; then
echo "$BIN/v-add-sys-sftp-jail" >> /etc/rc.local
else
sed -i "s|^exit|$BIN/v-add-sys-sftp-jail\nexit|" /etc/rc.local
fi
fi
chmod +x /etc/rc.local
else
echo "$BIN/v-add-sys-sftp-jail" > /etc/rc.local
chmod +x /etc/rc.local
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

5
bin/v-add-user
View file

@ -207,6 +207,11 @@ if [ -x "$VESTA/data/packages/$package.sh" ]; then
$VESTA/data/packages/$package.sh "$user" "$email" "$fname" "$lname"
fi
# Adding jailed sftp env
if [ ! -z "$SFTPJAIL_KEY" ]; then
$BIN/v-add-user-sftp-jail $user
fi
# Logging
log_history "added system user $user" '' 'admin'
log_event "$OK" "$EVENT"

66
bin/v-add-user-sftp-jail Executable file
View file

@ -0,0 +1,66 @@
#!/bin/bash
# info: add user sftp jail
# opions: USER
#
# The script enables sftp jailed environment
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
user=$1
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'USER'
validate_format 'user'
if [ -z "$SFTPJAIL_KEY" ]; then
exit
fi
user_str=$(grep "^$user:" /etc/passwd |egrep "rssh|nologin")
if [ -z "$user_str" ]; then
exit
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining user homedir
home="$(echo $user_str |cut -f 6 -d :)"
# Adding chroot directory
if [ ! -d "/chroot/$user/$home" ]; then
mkdir -p /chroot/$user/$home
chmod 750 /chroot/$user
chmod 775 /chroot/$user/$home
chown root:sftp-only /chroot/$user
chown $user:sftp-only /chroot/$user/$home
fi
# Adding user to sftp group
usermod -a -G sftp-only $user
# Mouting home directory
if [ -z "$(mount |grep $home)" ]; then
mount -o bind $home /chroot/$user/$home/
fi
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
#log_event "$OK" "$EVENT"
exit

5
bin/v-add-web-domain-ftp
View file

@ -94,6 +94,11 @@ fi
echo "$ftp_user:$password" | /usr/sbin/chpasswd
ftp_md5=$(awk -v user=$ftp_user -F : 'user == $1 {print $2}' /etc/shadow)
# Adding jailed sftp env
if [ ! -z "$SFTPJAIL_KEY" ]; then
$BIN/v-add-user-sftp-jail $ftp_user
fi
#----------------------------------------------------------#
# Vesta #

5
bin/v-change-user-shell
View file

@ -39,6 +39,11 @@ shell_path=$(grep -w "$shell" /etc/shells | head -n1)
/usr/bin/chsh -s "$shell_path" "$user" &>/dev/null
shell=$(basename $shell_path)
# Adding jailed sftp env
if [ ! -z "$SFTPJAIL_KEY" ]; then
$BIN/v-add-user-sftp-jail $user
fi
#----------------------------------------------------------#
# Vesta #

89
bin/v-delete-sys-sftp-jail Executable file
View file

@ -0,0 +1,89 @@
#!/bin/bash
# info: delete system sftp jail
# opions: NONE
#
# The script enables sftp jailed environment
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Importing system enviroment as we run this script
# mostly by cron wich do not read it by itself
source /etc/profile
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
if [ -z "$SFTPJAIL_KEY" ]; then
exit
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Checking users
for user in $(grep "$HOMEDIR" /etc/passwd |cut -f 1 -d:); do
$BIN/v-delete-user-sftp-jail $user
done
# Checking sshd directives
config='/etc/ssh/sshd_config'
sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep ":#")
sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#")
# Backing up config
cp $config $config.bak-$(date +%s)
# Enabling normal sftp
if [ ! -z "$sftp_n" ]; then
fline=$(echo $sftp_n |cut -f 1 -d :)
sed -i "${fline}s/#Subsystem/Subsystem sftp/" $config
restart='yes'
fi
# Disabling jailed sftp
if [ ! -z "$sftp_i" ]; then
fline=$(echo $sftp_i |cut -f 1 -d :)
lline=$((fline + 5))
sed -i "${fline},${lline}d" $config
restart='yes'
fi
# Validating opensshd config
if [ "$restart" = 'yes' ]; then
subj="OpenSSH restart failed"
email=$(grep CONTACT $VESTA/data/users/admin/user.conf |cut -f 2 -d \')
send_mail="$VESTA/web/inc/mail-wrapper.php"
/usr/sbin/sshd -t >/dev/null 2>&1
if [ "$?" -ne 0 ]; then
mail_text="OpenSSH can not be restarted. Please check config:
\n\n$(/usr/sbin/sshd -t)"
echo -e "$mail_text" | $send_mail -s "$subj" $email
else
service ssh restart >/dev/null 2>&1
service sshd restart >/dev/null 2>&1
fi
fi
# Deleting v-add-sys-sftp-jail from startup
sed -i "/v-add-sys-sftp-jail/d" /etc/rc.local 2>/dev/null
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
log_event "$OK" "$EVENT"
exit

63
bin/v-delete-user-sftp-jail Executable file
View file

@ -0,0 +1,63 @@
#!/bin/bash
# info: delete user sftp jail
# opions: USER
#
# The script enables sftp jailed environment
#----------------------------------------------------------#
# Variable&Function #
#----------------------------------------------------------#
# Argument defenition
user=$1
# Includes
source $VESTA/func/main.sh
source $VESTA/conf/vesta.conf
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'USER'
validate_format 'user'
user_str=$(grep "^$user:" /etc/passwd)
if [ -z "$user_str" ]; then
exit
fi
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Defining user homedir
home="$(echo $user_str |cut -f 6 -d :)"
# Unmounting home directory
mount_dir=$(mount |grep /chroot/$user/ |awk '{print $3}')
if [ ! -z "$mount_dir" ]; then
umount -f $mount_dir 2>/dev/null
if [ $? -ne 0 ]; then
gpasswd -d $user sftp-only >/dev/null 2>&1
exit 1
fi
fi
# Deleting chroot dir
rmdir $mount_dir 2>/dev/null
rm -rf /chroot/$user
# Deleting user from sftp group
gpasswd -d $user sftp-only >/dev/null 2>&1
#----------------------------------------------------------#
# Vesta #
#----------------------------------------------------------#
# Logging
#log_event "$OK" "$EVENT"
exit

5
bin/v-delete-web-domain-ftp
View file

@ -51,6 +51,11 @@ if [ "$?" != 0 ]; then
sed -i "/^$ftp_user:/d" /etc/shadow
fi
# Deleting sftp jail
if [ ! -z "$SFTPJAIL_KEY" ]; then
$BINv-delete-user-sftp-jail $ftp_user
fi
#----------------------------------------------------------#
# Vesta #