Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # add following to bottom of /etc/ssh/sshd_config and TEST FIRST using sshd -t or something
- # and make sure if sftp is already defined, to comment out that subsystem definition
- # Subsystem sftp internal-sftp
- # Match Group sftponly
- # PasswordAuthentication yes
- # ChrootDirectory /sftp/%u
- # ForceCommand internal-sftp -u 0000
- # AllowTcpForwarding no
- # PermitTunnel no
- # X11Forwarding no
- # create these groups first
- FTPGROUP="sftponly"
- grep -qE "^$FTPGROUP" /etc/group || addgroup "$FTPGROUP"
- # make the group listed below
- SUPP_GROUPS="extusers"
- grep -qE "^$SUPP_GROUPS" /etc/group || addgroup "$SUPP_GROUPS"
- HOMEROOT="/sftp"
- [ -d "$HOMEROOT" ] || {
- mkdir -m 0754 -p "$HOMEROOT"
- chown "root:$SUPP_GROUPS" "$HOMEROOT"
- }
- FTPUSER="$1"
- FTPPASS="$2"
- [ "$FTPUSER" ] || {
- echo "Needs a username!" >&2
- exit 3
- }
- id -u "$FTPUSER" &>/dev/null && {
- echo "User $FTPUSER already exists!" >&2
- exit 3
- }
- [ "$FTPPASS}" ] || {
- echo "Needs a password!" >&2
- exit 3
- }
- useradd \
- --home "/" \
- --shell /bin/false \
- --gid "$FTPGROUP" \
- --groups "$SUPP_GROUPS" \
- "$FTPUSER"
- chpasswd --crypt-method=SHA512 <<<"$FTPUSER:$FTPPASS"
- # The goal here is to make all files in user subdirs be read-write
- # for supp group so any sync process can be done without root perms.
- mkdir -p "$HOMEROOT/$FTPUSER"/{incoming,outgoing}
- chown -R "$FTPUSER:$SUPP_GROUPS" "$HOMEROOT/$FTPUSER"/*
- chmod -R ug+rwx "$HOMEROOT/$FTPUSER"/*
- chmod g+s $HOMEROOT/$FTPUSER/*
- setfacl -m "default:group::rwx" "$HOMEROOT/$FTPUSER"/*
- chown "root:$SUPP_GROUPS" "$HOMEROOT/$FTPUSER"
- chmod 0750 "$HOMEROOT/$FTPUSER"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement