Rewrite sftp jail with mount free version, thanks to @dpeca!

ScIT-Raphael · ScIT-Raphael · commit 9743e6da0d27 · 2019-04-28T15:07:30.000+02:00
diff --git a/bin/v-add-sys-sftp-jail b/bin/v-add-sys-sftp-jail
@@ -27,7 +27,7 @@ source $HESTIA/conf/hestia.conf
 # Checking sshd directives
 config='/etc/ssh/sshd_config'
 sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep -v ":#")
-sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#")
+sftp_i=$(grep -n "^# Hestia SFTP Chroot" $config)
 
 # Disabling normal sftp
 if [ ! -z "$sftp_n" ]; then
@@ -39,11 +39,11 @@ fi
 # Enabling jailed sftp
 if [ -z "$sftp_i" ]; then
     echo " " >> $config
-    echo "Subsystem sftp internal-sftp" >> $config
-    echo "Match Group sftp-only" >> $config
-    echo "ChrootDirectory /chroot/%u" >> $config
-    echo "    AllowTCPForwarding no" >> $config
+    echo "# Hestia SFTP Chroot" >> $config
+    echo "Match User sftp_dummy99" >> $config
+    echo "ChrootDirectory %h" >> $config
     echo "    X11Forwarding no" >> $config
+    echo "    AllowTCPForwarding no" >> $config
     echo "    ForceCommand internal-sftp" >> $config
     restart='yes'
 fi
@@ -63,32 +63,12 @@ if [ "$restart" = 'yes' ]; then
     fi
 fi
 
-# Adding sftp group
-groupadd sftp-only 2>/dev/null
-
 # Checking users
 shells="rssh|nologin"
 for user in $(grep "$HOMEDIR" /etc/passwd |egrep "$shells" |cut -f 1 -d:); do
     $BIN/v-add-user-sftp-jail $user
 done
 
-# Adding v-add-sys-sftp-jail to startup
-if [ -e "/etc/rc.local" ]; then
-    check_sftp=$(grep $0 /etc/rc.local)
-    check_exit=$(grep ^exit /etc/rc.local)
-    if [ -z "$check_sftp" ]; then
-        if [ -z "$check_exit" ]; then
-            echo "$BIN/v-add-sys-sftp-jail" >> /etc/rc.local
-        else
-            sed -i "s|^exit|$BIN/v-add-sys-sftp-jail\nexit|" /etc/rc.local
-        fi
-    fi
-    chmod +x /etc/rc.local
-else
-    echo "$BIN/v-add-sys-sftp-jail" > /etc/rc.local
-    chmod +x /etc/rc.local
-fi
-
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
diff --git a/bin/v-add-user-sftp-jail b/bin/v-add-user-sftp-jail
@@ -33,36 +33,36 @@ if [ $user = "syslog" ]; then
     exit
 fi
 
+# Get current users and split into array
+ssh_users=$(grep -A1 "^# Hestia SFTP Chroot" /etc/ssh/sshd_config | sed -n 2p | sed 's/Match User //')
+IFS=',' read -r -a users <<< "$ssh_users"
+
+# Check if jail is already enabled
+if [[ ! " ${users[@]} " =~ " ${user} " ]]; then
+    exit
+fi
+
 
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Defining user homedir
-home="$(echo $user_str |cut -f 6 -d :)"
+# Add user to array
+users+=($user)
 
-# Adding chroot directory
-if [ ! -d "/chroot/$user/$home" ]; then
-    mkdir -p /chroot/$user/$home
-    chmod 750 /chroot/$user
-    chmod 775 /chroot/$user/$home
-    chown root:sftp-only /chroot/$user
-    chown $user:sftp-only /chroot/$user/$home
-fi
-
-# Adding user to sftp group
-usermod -a -G sftp-only $user
-
-# Mouting home directory
-if [ -z "$(mount |grep /chroot/$user/$home)" ]; then
-    mount -o bind $home /chroot/$user/$home/
-fi
+# Write new user list to config
+users=$(IFS=',';echo "${users[*]// /|}";IFS=$' \t\n')
+sed -i "s/$ssh_users/$users/g" /etc/ssh/sshd_config
 
 
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
 
+# Restart ssh service
+service ssh restart > /dev/null 2>&1
+service sshd restart > /dev/null 2>&1
+
 # Logging
 log_event "$OK" "$ARGUMENTS"
 
diff --git a/bin/v-delete-sys-sftp-jail b/bin/v-delete-sys-sftp-jail
@@ -27,15 +27,10 @@ source $HESTIA/conf/hestia.conf
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Checking users
-for user in $(grep "$HOMEDIR" /etc/passwd |cut -f 1 -d:); do
-    $BIN/v-delete-user-sftp-jail $user
-done
-
 # Checking sshd directives
 config='/etc/ssh/sshd_config'
 sftp_n=$(grep -n "Subsystem.*sftp" $config |grep -v internal |grep ":#")
-sftp_i=$(grep -n "Subsystem.*sftp" $config |grep internal |grep -v ":#")
+sftp_i=$(grep -n "^# Hestia SFTP Chroot" $config)
 
 # Backing up config
 cp $config $config.bak-$(date +%s)
@@ -70,14 +65,15 @@ if [ "$restart" = 'yes' ]; then
     fi
 fi
 
-# Deleting v-add-sys-sftp-jail from startup
-sed -i "/v-add-sys-sftp-jail/d" /etc/rc.local 2>/dev/null
-
 
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
 
+# Restart ssh service
+service ssh restart > /dev/null 2>&1
+service sshd restart > /dev/null 2>&1
+
 # Logging
 log_event "$OK" "$ARGUMENTS"
 
diff --git a/bin/v-delete-user-sftp-jail b/bin/v-delete-user-sftp-jail
@@ -28,35 +28,40 @@ if [ -z "$user_str" ]; then
     exit
 fi
 
+# Get current users and split into array
+ssh_users=$(grep -A1 "^# Hestia SFTP Chroot" /etc/ssh/sshd_config | sed -n 2p | sed 's/Match User //')
+IFS=',' read -r -a users <<< "$ssh_users"
+
+# Check if jail exist
+if [[ ! " ${users[@]} " =~ " ${user} " ]]; then
+    exit
+fi
+
+
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Defining user homedir
-home="$(echo $user_str |cut -f 6 -d :)"
-
-# Unmounting home directory
-mount_dir=$(mount |grep /chroot/$user/ |awk '{print $3}')
-if [ ! -z "$mount_dir" ]; then
-    umount -f $mount_dir 2>/dev/null
-    if [ $? -ne 0 ]; then
-        gpasswd -d $user sftp-only >/dev/null 2>&1
-        exit 1
+# Remove user from array
+for sftp_user in "${users[@]}"; do
+    if [ "$sftp_user" != "$user" ]; then
+        new_users+=($sftp_user)
     fi
-fi
+done
 
-# Deleting chroot dir
-rmdir $mount_dir 2>/dev/null
-rm -rf /chroot/$user
-
-# Deleting user from sftp group
-gpasswd -d $user sftp-only >/dev/null 2>&1
+# Write new user list to config
+users=$(IFS=',';echo "${new_users[*]// /|}";IFS=$' \t\n')
+sed -i "s/$ssh_users/$users/g" /etc/ssh/sshd_config
 
 
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
 
+# Restart ssh service
+service ssh restart > /dev/null 2>&1
+service sshd restart > /dev/null 2>&1
+
 # Logging
 #log_event "$OK" "$ARGUMENTS"
 
