SFTP support for additional "FTP" accounts (hestiacp#3844)

* Fix SFTP chroot jail

This handles the addition and deletion of the chroot jail mount points
during all relevant user add, change, and delete operations. It also
modifies sshd configuration to reflect the new chroot jail structure.

* Harden vsftpd by using the new SFTP chroot jail structure

* Revise ssh / sshd service restarts

Debian / Ubuntu now alias sshd service to ssh service so restarting
ssh service is actually restarting it twice so only restart sshd
service. Furthermore rename ssh service restarts to sshd if it is the
only restart command. This works since sshd is the name of the service
on CentOS and Debian / Ubuntu now have aliases for sshd.

* Update upgrade script to enable migration to new chroot jail system

* Remove chroot jail directories when deleting it

* Migrate script

* Fix main.sh format

* Fix some minor issues

* Update ssh config

---------

Co-authored-by: James Buren <braewoods+mgh@braewoods.net>

Author: jaapmarcus

bin/v-add-sys-sftp-jail

@@ -45,14 +45,14 @@ fi
 
 # Enabling jailed sftp
 if [ -z "$sftp_i" ]; then
-	echo " " >> $config
-	echo "# Hestia SFTP Chroot" >> $config
-	echo "Match User sftp_dummy99" >> $config
-	echo "ChrootDirectory %h" >> $config
-	echo "    X11Forwarding no" >> $config
-	echo "    AllowTCPForwarding no" >> $config
-	echo "    ForceCommand internal-sftp" >> $config
-	restart='yes'
+    echo " " >> $config
+    echo "# Hestia SFTP Chroot" >> $config
+    echo "Match User sftp_dummy99" >> $config
+    echo "    ChrootDirectory /srv/jail/%u" >> $config
+    echo "    X11Forwarding no" >> $config
+    echo "    AllowTCPForwarding no" >> $config
+    echo "    ForceCommand internal-sftp -d /home" >> $config
+    restart='yes'
 fi
 
 # Validating opensshd config
@@ -63,10 +63,10 @@ if [ "$restart" = 'yes' ]; then
 	if [ "$?" -ne 0 ]; then
 		mail_text="OpenSSH can not be restarted. Please check config:
             \n\n$(/usr/sbin/sshd -t)"
-		echo -e "$mail_text" | $SENDMAIL -s "$subj" $email
-	else
-		service ssh restart > /dev/null 2>&1
-	fi
+        echo -e "$mail_text" |$SENDMAIL -s "$subj" $email
+    else
+        service sshd restart >/dev/null 2>&1
+    fi
 fi
 
 # Checking users

bin/v-add-user-sftp-jail

@@ -75,6 +75,7 @@ sed -i "s/$ssh_users/$users/g" /etc/ssh/sshd_config
 if [ -d "/home/$user" ]; then
 	chown root:root /home/$user
 fi
+add_chroot_jail "$user"
 
 #----------------------------------------------------------#
 #                       Hestia                             #
@@ -85,7 +86,7 @@ if [ "$restart" = 'no' ]; then
 	# Skip restart of SSH daemon
 	echo "" > /dev/null 2>&1
 else
-	service ssh restart > /dev/null 2>&1
+	service sshd restart > /dev/null 2>&1
 fi
 
 # Logging

bin/v-change-web-domain-ftp-path

@@ -76,6 +76,10 @@ str=$(echo "$pw_str" | cut -f 1 -d :)
 old_path=$(echo "$pw_str" | cut -f 7 -d :)
 sed -i "$str s%$old_path%$ftp_path_a%g" /etc/passwd
 
+# Updating chroot jail for SFTP and FTP
+delete_chroot_jail $ftp_user
+add_chroot_jail $ftp_user
+
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#

bin/v-delete-sys-sftp-jail

@@ -34,9 +34,8 @@ config='/etc/ssh/sshd_config'
 sftp_n=$(grep -n "Subsystem.*sftp" $config | grep -v internal | grep ":#")
 sftp_i=$(grep -n "^# Hestia SFTP Chroot" $config)
 
-date=$("date +%s")
 # Backing up config
-cp $config $config.bak-$(date +%s)
+cp $config $config.bak
 
 # Enabling normal sftp
 if [ -n "$sftp_n" ]; then
@@ -61,9 +60,8 @@ if [ "$restart" = 'yes' ]; then
 	if [ "$?" -ne 0 ]; then
 		mail_text="OpenSSH can not be restarted. Please check config:
             \n\n$(/usr/sbin/sshd -t)"
-		echo -e "$mail_text" | $SENDMAIL -s "$subj" "$email"
+		echo -e "$mail_text" | $SENDMAIL -s "$subj" $email
 	else
-		service ssh restart > /dev/null 2>&1
 		service sshd restart > /dev/null 2>&1
 	fi
 fi
@@ -77,10 +75,6 @@ fi
 #                       Hestia                             #
 #----------------------------------------------------------#
 
-# Restart ssh service
-service ssh restart > /dev/null 2>&1
-service sshd restart > /dev/null 2>&1
-
 # Logging
 $BIN/v-log-action "system" "Warning" "Plugins" "SFTP Chroot Jail disabled."
 log_event "$OK" "$ARGUMENTS"

bin/v-delete-user-sftp-jail

@@ -68,12 +68,14 @@ sed -i "s/$ssh_users/$users/g" /etc/ssh/sshd_config
 if [ -d "/home/$user" ]; then
 	chown $user:$user /home/$user
 fi
+
+# Deleting chroot jail for SFTP and FTP
+delete_chroot_jail $user
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
 
 # Restart ssh service
-service ssh restart > /dev/null 2>&1
 service sshd restart > /dev/null 2>&1
 
 # Logging

func/main.sh

@@ -1708,3 +1708,47 @@ search_command_arg_position() {
 
 	echo "$position"
 }
+
+add_chroot_jail() {
+	local user=$1
+
+	mkdir -p /srv/jail/$user
+	chown 0:0 /srv /srv/jail /srv/jail/$user
+	chmod 755 /srv /srv/jail /srv/jail/$user
+	if [ ! -d /srv/jail/$user/home ]; then
+		mkdir -p /srv/jail/$user/home
+		chown 0:0 /srv/jail/$user/home
+		chmod 755 /srv/jail/$user/home
+	fi
+
+	cat > /etc/systemd/system/srv-jail-$user-home.mount << EOF
+[Unit]
+Description=Mount $user's home directory to the jail chroot
+Before=local-fs.target
+
+[Mount]
+What=$(getent passwd $user | cut -d : -f 6)
+Where=/srv/jail/$user/home
+Type=none
+Options=bind
+LazyUnmount=yes
+
+[Install]
+RequiredBy=local-fs.target
+EOF
+
+	systemctl daemon-reload > /dev/null 2>&1
+	systemctl enable srv-jail-$user-home.mount > /dev/null 2>&1
+	systemctl start srv-jail-$user-home.mount > /dev/null 2>&1
+}
+
+delete_chroot_jail() {
+	local user=$1
+
+	systemctl stop srv-jail-$user-home.mount > /dev/null 2>&1
+	systemctl disable srv-jail-$user-home.mount > /dev/null 2>&1
+	rm -f /etc/systemd/system/srv-jail-$user-home.mount
+	systemctl daemon-reload > /dev/null 2>&1
+	rmdir /srv/jail/$user/home > /dev/null 2>&1
+	rmdir /srv/jail/$user > /dev/null 2>&1
+}

install/deb/vsftpd/vsftpd.conf

@@ -18,7 +18,9 @@ tcp_wrappers=YES
 force_dot_files=YES
 ascii_upload_enable=YES
 ascii_download_enable=YES
-allow_writeable_chroot=YES
+allow_writeable_chroot=NO
+local_root=/srv/jail/%u
+user_sub_token=%u
 seccomp_sandbox=NO
 pasv_enable=YES
 pasv_promiscuous=YES

install/upgrade/versions/1.9.0.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.9.0
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### upgrade_config_set_value only accepts true or false.                    #######
+#######                                                                         #######
+####### Pass through information to the end user in case of a issue or problem  #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### in the upgrade notification email. Example:                             #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'yes'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
+
+# update config sftp jail
+$BIN/v-delete-sys-sftp-jail
+$BIN/v-add-sys-sftp-jail