Tag Archives: sftp

chroot_utils.sh

# -----------------------------------------------------------

groupname="$instance"
instroot="/srv/$instance"
insthome="/srv/$instance/home"

# mod_user_db=yes



bootstrap()
{
    echo "bootstrap"
    echo ""

    [ $mod_user_db == yes ] && $DBG addgroup "$groupname"
    [ $mod_user_db == yes ] && $DBG addgroup "$chroot_groupname"

    $DBG mkdir "$instroot"
    $DBG chown 0.0 "$instroot"
    $DBG chmod 755 "$instroot"

    $DBG mkdir "$insthome"

    $DBG chown "0.$groupname" "$insthome"
    $DBG chmod 750 "$insthome"

    # this been done, we can set the s flags
    # and dir mask if $instroot (and ./home)

    $DBG setfacl -m d:g:$groupname:rwx "$instroot"
    $DBG setfacl -m d:o:-              "$instroot"

    $DBG chmod g+s "$instroot"

    $DBG setfacl -m g:$groupname:rwx   "$insthome"

    $DBG mkdir "$instroot/shared"
    $DBG chown 0.$groupname "$instroot/shared"
    $DBG chmod 770 "$instroot/shared"
    $DBG chmod g+s "$instroot/shared"

    for rdir in bin etc log ; do

        $DBG mkdir "$instroot/$rdir"
        $DBG chown 0.www-data "$instroot/$rdir"
        $DBG chmod 750        "$instroot/$rdir"
        $DBG chmod g+s        "$instroot/$rdir"

        $DBG setfacl -m d:o:-              "$instroot/$rdir"
        $DBG setfacl -m d:g::-             "$instroot/$rdir"
        $DBG setfacl -m d:g:$groupname:rx  "$instroot/$rdir"
        $DBG setfacl -m g:$groupname:rx    "$instroot/$rdir"

    done

    echo ""
}

user_stuff()
{
    echo "user_stuff"
    echo ""

    for u in $new_users ; do

        [ $mod_user_db == yes ] \
        && $DBG useradd -m -d "$insthome/$u" "$u" \
        && $DBG usermod -d "/home/$u" "$u" \
        && ( $DBG adduser "$u" "$groupname" ; $DBG adduser "$u" "$chroot_groupname" )

        $DBG chmod 750 "$insthome/$u"
        $DBG chmod g+s "$insthome/$u"

        $DBG setfacl -m m:rwx "$insthome/$u"
        $DBG setfacl -m d:o:- "$insthome/$u"

    done

    echo ""
}

docroots()
{
    echo "docroots"
    echo ""


    for r in $docroots ; do

        $DBG mkdir            "$instroot/$r"
        $DBG chown 0.www-data "$instroot/$r"
        $DBG chmod 750        "$instroot/$r"
        $DBG chmod g+s        "$instroot/$r"

        $DBG setfacl -m d:g:$groupname:rwx "$instroot/$r"
        $DBG setfacl -m m:rwx              "$instroot/$r"
        $DBG setfacl -m d:o:-              "$instroot/$r"

    done

    echo ""
}

opensshconf()
{
    echo "opensshcond"
    echo ""

    echo "add this to /etc/ssh/sshd_config"
    echo "=========%<=============%<==============%<========="

    cat << __EOF__
Match group $chroot_groupname
    ChrootDirectory $instroot
    X11Forwarding no
    AllowTCPForwarding no
    ForceCommand internal-sftp -u 0027
__EOF__

    echo "=========>%=============>%==============>%========="
}