Untitled

#!/bin/bash
# add following to bottom of /etc/ssh/sshd_config and TEST FIRST using sshd -t or something
# and make sure if sftp is already defined, to comment out that subsystem definition

# Subsystem       sftp    internal-sftp
# Match Group sftponly
#   PasswordAuthentication yes
#   ChrootDirectory /sftp/%u
#   ForceCommand internal-sftp -u 0000
#   AllowTcpForwarding no
#   PermitTunnel no
#   X11Forwarding no


# create these groups first
FTPGROUP="sftponly"
grep -qE "^$FTPGROUP" /etc/group || addgroup "$FTPGROUP"


# make the group listed below
SUPP_GROUPS="extusers"
grep -qE "^$SUPP_GROUPS" /etc/group || addgroup "$SUPP_GROUPS"

HOMEROOT="/sftp"
[ -d "$HOMEROOT" ] || {
  mkdir -m 0754 -p "$HOMEROOT"
  chown "root:$SUPP_GROUPS" "$HOMEROOT"
}


FTPUSER="$1"
FTPPASS="$2"

[ "$FTPUSER" ] || {
  echo "Needs a username!" >&2
  exit 3
}

id -u "$FTPUSER" &>/dev/null && {
  echo "User $FTPUSER already exists!" >&2
  exit 3
}

[ "$FTPPASS}" ] || {
  echo "Needs a password!" >&2
  exit 3
}

useradd \
  --home "/" \
  --shell /bin/false \
  --gid "$FTPGROUP" \
  --groups "$SUPP_GROUPS" \
  "$FTPUSER"

chpasswd --crypt-method=SHA512 <<<"$FTPUSER:$FTPPASS"

# The goal here is to make all files in user subdirs be read-write
# for supp group so any sync process can be done without root perms.
mkdir -p "$HOMEROOT/$FTPUSER"/{incoming,outgoing}
chown -R "$FTPUSER:$SUPP_GROUPS" "$HOMEROOT/$FTPUSER"/*
chmod -R ug+rwx "$HOMEROOT/$FTPUSER"/*
chmod g+s $HOMEROOT/$FTPUSER/*
setfacl -m "default:group::rwx" "$HOMEROOT/$FTPUSER"/*
chown "root:$SUPP_GROUPS" "$HOMEROOT/$FTPUSER"

chmod 0750 "$HOMEROOT/$FTPUSER"