Jailed SFTP via OpenSSH

serghey-rodin · serghey-rodin · commit 93b2a8617aff · 2015-09-18T17:42:48.000+03:00
diff --git a/bin/v-add-sys-sftp-jail b/bin/v-add-sys-sftp-jail
@@ -0,0 +1,106 @@
+#!/bin/bash
+# info: add system sftp jail
+# opions: NONE
+#
+# The script enables sftp jailed environment
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system enviroment  as we run this script
+# mostly by cron wich do not read it by itself
+source /etc/profile
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+if [ -z "$SFTPJAIL_KEY" ]; then
+    exit
+fi
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking sshd directives
+config='/etc/ssh/sshd_config'
+sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep -v ":#")
+sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#")
+
+# Disabling normal sftp
+if [ ! -z "$sftp_n" ]; then
+    fline=$(echo $sftp_n |cut -f 1 -d :)
+    sed -i "${fline}s/Subsystem.*sftp/#Subsystem sftp/" $config
+    restart='yes'
+fi
+
+# Enabling jailed sftp
+if [ -z "$sftp_i" ]; then
+    echo "Subsystem sftp internal-sftp" >> $config
+    echo "Match Group sftp-only" >> $config
+    echo "ChrootDirectory /chroot/%u" >> $config
+    echo "    AllowTCPForwarding no" >> $config
+    echo "    X11Forwarding no" >> $config
+    echo "    ForceCommand internal-sftp" >> $config
+    restart='yes'
+fi
+
+# Validating opensshd config
+if [ "$restart" = 'yes' ]; then
+    subj="OpenSSH restart failed"
+    email=$(grep CONTACT $VESTA/data/users/admin/user.conf |cut -f 2 -d \')
+    send_mail="$VESTA/web/inc/mail-wrapper.php"
+    /usr/sbin/sshd -t >/dev/null 2>&1
+    if [ "$?" -ne 0 ]; then
+        mail_text="OpenSSH can not be restarted. Please check config:
+            \n\n$(/usr/sbin/sshd -t)"
+        echo -e "$mail_text" | $send_mail -s "$subj" $email
+    else
+        service ssh restart >/dev/null 2>&1
+        service sshd restart >/dev/null 2>&1
+    fi
+fi
+
+# Adding sftp group
+groupadd sftp-only 2>/dev/null
+
+# Checking users
+shells="rssh|nologin"
+for user in $(grep "$HOMEDIR" /etc/passwd |egrep "$shells" |cut -f 1 -d:); do
+    $BIN/v-add-user-sftp-jail $user
+done
+
+# Adding v-add-sys-sftp-jail to startup
+if [ -e "/etc/rc.local" ]; then
+    check_sftp=$(grep $0 /etc/rc.local)
+    check_exit=$(grep ^exit /etc/rc.local)
+    if [ -z "$check_sftp" ]; then
+        if [ -z "$check_exit" ]; then
+            echo "$BIN/v-add-sys-sftp-jail" >> /etc/rc.local
+        else
+            sed -i "s|^exit|$BIN/v-add-sys-sftp-jail\nexit|" /etc/rc.local
+        fi
+    fi
+    chmod +x /etc/rc.local
+else
+    echo "$BIN/v-add-sys-sftp-jail" > /etc/rc.local
+    chmod +x /etc/rc.local
+fi
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit
diff --git a/bin/v-add-user b/bin/v-add-user
@@ -207,6 +207,11 @@ if [ -x "$VESTA/data/packages/$package.sh" ]; then
     $VESTA/data/packages/$package.sh "$user" "$email" "$fname" "$lname"
 fi
 
+# Adding jailed sftp env
+if [ ! -z "$SFTPJAIL_KEY" ]; then
+    $BIN/v-add-user-sftp-jail $user
+fi
+
 # Logging
 log_history "added system user $user" '' 'admin'
 log_event "$OK" "$EVENT"
diff --git a/bin/v-add-user-sftp-jail b/bin/v-add-user-sftp-jail
@@ -0,0 +1,66 @@
+#!/bin/bash
+# info: add user sftp jail
+# opions: USER
+#
+# The script enables sftp jailed environment
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+user=$1
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'USER'
+validate_format 'user'
+if [ -z "$SFTPJAIL_KEY" ]; then
+    exit
+fi
+user_str=$(grep "^$user:" /etc/passwd |egrep "rssh|nologin")
+if [ -z "$user_str" ]; then
+    exit
+fi
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Defining user homedir
+home="$(echo $user_str |cut -f 6 -d :)"
+
+# Adding chroot directory
+if [ ! -d "/chroot/$user/$home" ]; then
+    mkdir -p /chroot/$user/$home
+    chmod 750 /chroot/$user
+    chmod 775 /chroot/$user/$home
+    chown root:sftp-only /chroot/$user
+    chown $user:sftp-only /chroot/$user/$home
+fi
+
+# Adding user to sftp group
+usermod -a -G sftp-only $user
+
+# Mouting home directory
+if [ -z "$(mount |grep $home)" ]; then
+    mount -o bind $home /chroot/$user/$home/
+fi
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+#log_event "$OK" "$EVENT"
+
+exit
diff --git a/bin/v-add-web-domain-ftp b/bin/v-add-web-domain-ftp
@@ -94,6 +94,11 @@ fi
 echo "$ftp_user:$password" | /usr/sbin/chpasswd
 ftp_md5=$(awk -v user=$ftp_user -F : 'user == $1 {print $2}' /etc/shadow)
 
+# Adding jailed sftp env
+if [ ! -z "$SFTPJAIL_KEY" ]; then
+    $BIN/v-add-user-sftp-jail $ftp_user
+fi
+
 
 #----------------------------------------------------------#
 #                       Vesta                              #
diff --git a/bin/v-change-user-shell b/bin/v-change-user-shell
@@ -39,6 +39,11 @@ shell_path=$(grep -w "$shell" /etc/shells | head -n1)
 /usr/bin/chsh -s "$shell_path" "$user" &>/dev/null
 shell=$(basename $shell_path)
 
+# Adding jailed sftp env
+if [ ! -z "$SFTPJAIL_KEY" ]; then
+    $BIN/v-add-user-sftp-jail $user
+fi
+
 
 #----------------------------------------------------------#
 #                       Vesta                              #
diff --git a/bin/v-delete-sys-sftp-jail b/bin/v-delete-sys-sftp-jail
@@ -0,0 +1,89 @@
+#!/bin/bash
+# info: delete system sftp jail
+# opions: NONE
+#
+# The script enables sftp jailed environment
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system enviroment  as we run this script
+# mostly by cron wich do not read it by itself
+source /etc/profile
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+if [ -z "$SFTPJAIL_KEY" ]; then
+    exit
+fi
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking users
+for user in $(grep "$HOMEDIR" /etc/passwd |cut -f 1 -d:); do
+    $BIN/v-delete-user-sftp-jail $user
+done
+
+# Checking sshd directives
+config='/etc/ssh/sshd_config'
+sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep ":#")
+sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#")
+
+# Backing up config
+cp $config $config.bak-$(date +%s)
+
+# Enabling normal sftp
+if [ ! -z "$sftp_n" ]; then
+    fline=$(echo $sftp_n |cut -f 1 -d :)
+    sed -i "${fline}s/#Subsystem/Subsystem sftp/" $config
+    restart='yes'
+fi
+
+# Disabling jailed sftp
+if [ ! -z "$sftp_i" ]; then
+    fline=$(echo $sftp_i |cut -f 1 -d :)
+    lline=$((fline + 5))
+    sed -i "${fline},${lline}d" $config
+    restart='yes'
+fi
+
+# Validating opensshd config
+if [ "$restart" = 'yes' ]; then
+    subj="OpenSSH restart failed"
+    email=$(grep CONTACT $VESTA/data/users/admin/user.conf |cut -f 2 -d \')
+    send_mail="$VESTA/web/inc/mail-wrapper.php"
+    /usr/sbin/sshd -t >/dev/null 2>&1
+    if [ "$?" -ne 0 ]; then
+        mail_text="OpenSSH can not be restarted. Please check config:
+            \n\n$(/usr/sbin/sshd -t)"
+        echo -e "$mail_text" | $send_mail -s "$subj" $email
+    else
+        service ssh restart >/dev/null 2>&1
+        service sshd restart >/dev/null 2>&1
+    fi
+fi
+
+# Deleting v-add-sys-sftp-jail from startup
+sed -i "/v-add-sys-sftp-jail/d" /etc/rc.local 2>/dev/null
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit
diff --git a/bin/v-delete-user-sftp-jail b/bin/v-delete-user-sftp-jail
@@ -0,0 +1,63 @@
+#!/bin/bash
+# info: delete user sftp jail
+# opions: USER
+#
+# The script enables sftp jailed environment
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Argument defenition
+user=$1
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'USER'
+validate_format 'user'
+user_str=$(grep "^$user:" /etc/passwd)
+if [ -z "$user_str" ]; then
+    exit
+fi
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Defining user homedir
+home="$(echo $user_str |cut -f 6 -d :)"
+
+# Unmounting home directory
+mount_dir=$(mount |grep /chroot/$user/ |awk '{print $3}')
+if [ ! -z "$mount_dir" ]; then
+    umount -f $mount_dir 2>/dev/null
+    if [ $? -ne 0 ]; then
+        gpasswd -d $user sftp-only >/dev/null 2>&1
+        exit 1
+    fi
+fi
+
+# Deleting chroot dir
+rmdir $mount_dir 2>/dev/null
+rm -rf /chroot/$user
+
+# Deleting user from sftp group
+gpasswd -d $user sftp-only >/dev/null 2>&1
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+#log_event "$OK" "$EVENT"
+
+exit
diff --git a/bin/v-delete-web-domain-ftp b/bin/v-delete-web-domain-ftp
@@ -51,6 +51,11 @@ if [ "$?" != 0 ]; then
     sed -i "/^$ftp_user:/d" /etc/shadow
 fi
 
+# Deleting sftp jail
+if [ ! -z "$SFTPJAIL_KEY" ]; then
+    $BINv-delete-user-sftp-jail $ftp_user
+fi
+
 
 #----------------------------------------------------------#
 #                       Vesta                              #
