yakworks
diff --git a/‎examples/dock-run.sh‎
Lines changed: 6 additions & 3 deletions b/‎examples/dock-run.sh‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎examples/sftp-data/test.txt‎
Lines changed: 0 additions & 1 deletion b/‎examples/sftp-data/test.txt‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎examples/users.conf‎
Lines changed: 12 additions & 6 deletions b/‎examples/users.conf‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎files/create-sftp-user‎
Lines changed: 59 additions & 25 deletions b/‎files/create-sftp-user‎
Lines changed: 59 additions & 25 deletions
diff --git a/‎files/create-sftp-user-new‎
Lines changed: 176 additions & 0 deletions b/‎files/create-sftp-user-new‎
Lines changed: 176 additions & 0 deletions
@@ -3,8 +3,11 @@
 # run this from the root project
 
 # docker build -t yakworks/sftp .
+docker stop sftp || true && docker rm sftp || true
 
-docker run --name sftp --rm --cap-add=SYS_ADMIN -p 30022:22 \
+docker run --name sftp --cap-add=SYS_ADMIN \
+  -p 30022:22 \
+  -e DATA_MOUNT_NAME=ninebox \
   -v $(pwd)/examples/users.conf:/etc/sftp/users.conf \
-  -v $(pwd)/examples/sftp-data:/sftp-data \
-  yakworks/sftp
+  -v $(pwd)/examples/sftp-data:/data \
+  -d yakworks/sftp
@@ -1,6 +1,12 @@
-# user:pass:uid:gid  - if gid is 27 is sudo/admin, 100 is user. 
-# admin will get data mounted and user with get data/user/%u mounted
-foo:FuB4r:1001:27
-bar:FuB4r:1002:27
-cust:FuB4r:1003:100
-cust2:FuB4r:1004:100
+# user:pass:uid:gid
+# if no uid will be auto assigned in normal linux fashion 
+# if no gid will default to users(100)
+# admin,sudo or 27 will be able to see all data
+# users will only be able to see whats in their dir
+# TODO read only group
+admin:FuB4r::admin
+superu:FuB4r::sudo
+superu:FuB4r::27
+user1:FuB4r::users
+user2:FuB4r::100
+user3:FuB4r
@@ -29,7 +29,7 @@ function validateArg() {
     fi
 }
 
-log "Parsing user data: \"$1\""
+# log "Parsing user data: \"$1\""
 IFS=':' read -ra args <<< "$1"
 
 skipIndex=0
@@ -45,7 +45,7 @@ if [ "${args[2]}" == "e" ]; then
 fi
 
 uid="${args[$((skipIndex+2))]}"; validateArg "UID" "$uid" "$reUid" || exit 1
-gid="${args[$((skipIndex+3))]}"; validateArg "GID" "$gid" "$reGid" || exit 1
+gid="${args[$((skipIndex+3))]}"; # validateArg "GID" "$gid" "$reGid" || exit 1
 dir="${args[$((skipIndex+4))]}"; validateArg "dirs" "$dir" "$reDir" || exit 1
 
 if getent passwd "$user" > /dev/null; then
@@ -58,22 +58,44 @@ if [ -n "$uid" ]; then
 fi
 
 if [ -n "$gid" ]; then
+    #if gid = admin then its old ubuntu lingo and new group should be sudo, change it
+    [ "$gid" = "admin" ] && gid="sudo" && log "'admin' group reclassed as 'sudo'. use numeric gid to force admin"
+    # check if it exists
     if ! getent group "$gid" > /dev/null; then
-        groupadd --gid "$gid" "group_$gid"
+        log "group $gid does not exists. Creating it"
+        if [[ "$gid" =~ ^[0-9]+$ ]]; then
+            # its a digit
+            groupadd --gid "$gid" "group_$gid"
+        else
+            groupadd "$gid"
+            #gid="$(cut -d: -f3 < <(getent group $gid))"
+        fi
     fi
+    #ensure we are workign with the id
+    grp_id="$(cut -d: -f3 < <(getent group $gid))"
+    gid=$grp_id
+    #log "group $gid has grp_id $grp_id"
+    # useraddOptions+=(--gid "$gid")
 
-    useraddOptions+=(--gid "$gid")
+else
+    log "no group specified, defaulting to 100:users"
+    gid=100
 fi
 
+useraddOptions+=(--gid "$gid")
+
 log "useradd ${useraddOptions[@]} $user"
 useradd "${useraddOptions[@]}" "$user"
+
+# locked down chroot setup where user's home is owned by root
 mkdir -p "/home/$user"
 chown root:root "/home/$user"
 chmod 755 "/home/$user"
 
 # Retrieving user id to use it in chown commands instead of the user name
 # to avoid problems on alpine when the user name contains a '.'
 uid="$(id -u "$user")"
+log "uid is $uid"
 
 if [ -n "$pass" ]; then
     echo "$user:$pass" | chpasswd $chpasswdOptions
@@ -106,10 +128,14 @@ if [ -n "$dir" ]; then
 fi
 
 ###### MODS for bind mounts #####
+
+# if DATA_DIR_NAME env is not set then make data the default
+: ${DATA_MOUNT_NAME:=data}
 # mount user dir
-dataPath="/sftp-data"
-userDataDir="$dataPath/users/$user"
-homeDataDir="/home/$user/data"
+dataPath="/data"
+usersDir="$dataPath/users"
+userDataDir="$usersDir/$user"
+homeDataDir="/home/$user/$DATA_MOUNT_NAME"
 
 # always create a data dir by default in the users home.
 if [ ! -d "$homeDataDir" ]; then
@@ -118,31 +144,39 @@ if [ ! -d "$homeDataDir" ]; then
     chown -R "$uid:$gid" "$homeDataDir"
 fi
 #mod user so the data dir is their home
-usermod -d /data "$user"
+usermod -d "$homeDataDir" "$user"
 
+#if the data path has been mapped in as volume then it will exists and do our special logic
 if [ -d "$dataPath" ]; then
-    log "- has $dataPath"
-    # for users mount the data/users/%u directory
-    if [ "$gid" = "100" ]; then
-        if [ ! -d "$userDataDir" ]; then
-            log "- mkdir -p $userDataDir"
-            mkdir -p "$userDataDir"
-        fi
+    log "data path has been mapped in as a volume"
+    # create users dir
+    if [ ! -d "$usersDir" ]; then
+        log "- no $usersDir so exec: mkdir -p $usersDir"
+        mkdir -p "$usersDir"
+        chown :sudo "$usersDir"
+        chmod 775 "$usersDir"
+    fi
+
+    # create users data dir
+    if [ ! -d "$userDataDir" ]; then
+        log "- mkdir -p $userDataDir"
+        mkdir -p "$userDataDir"
+        chown $user:users "$userDataDir"
+        chmod 775 "$userDataDir"
+    fi
+
+    # for users mount the ($userDataDir) directory
+    if [ "$gid" = "100" ] || [ "$gid" = "users" ]; then
         log "- mount --bind $userDataDir $homeDataDir"
-        # Remember permissions, you may have to fix them:
-        # chown -R :100 "$userDataDir"
         mount --bind "$userDataDir" "$homeDataDir"
-        #make sure permissions are good on users dir
-        chown -R :100 "$dataPath"
     fi
-    # for sudo (27) admins mount the data directory
-    if [ "$gid" = "27" ] ; then
+    # for (27) sudo/admins mount the data directory
+    if [ "$gid" = "27" ] || [ "$gid" = "sudo" ]; then
         # chown -R :100 "$userDataDir"
         mount --bind "$dataPath" "$homeDataDir"
-        #also make sure that they are assigned to the user group
-        usermod -g 100 "$user"
+        #also make sure that sudo/admins are assigned to the users group
+        usermod -g users "$user"
         usermod -a -G 27 "$user"
     fi
-    chown -R :100 "$dataPath"
-    chmod -R 775 "$dataPath"
 fi
+
@@ -0,0 +1,176 @@
+#!/bin/bash
+set -Eeo pipefail
+
+# shellcheck disable=2154
+trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
+
+# Extended regular expression (ERE) for arguments
+reUser='[A-Za-z0-9._][A-Za-z0-9._-]{0,31}' # POSIX.1-2008
+rePass='[^:]{0,255}'
+reUid='[[:digit:]]*'
+reGid='[[:digit:]]*'
+reDir='[^:]*'
+#reArgs="^($reUser)(:$rePass)(:e)?(:$reUid)?(:$reGid)?(:$reDir)?$"
+
+function log() {
+    echo "[$0] $*"
+}
+
+function validateArg() {
+    name="$1"
+    val="$2"
+    re="$3"
+
+    if [[ "$val" =~ ^$re$ ]]; then
+        return 0
+    else
+        log "ERROR: Invalid $name \"$val\", do not match required regex pattern: $re"
+        return 1
+    fi
+}
+
+log "Parsing user data: \"$1\""
+IFS=':' read -ra args <<< "$1"
+
+skipIndex=0
+chpasswdOptions=""
+useraddOptions=(--no-user-group)
+
+user="${args[0]}"; validateArg "username" "$user" "$reUser" || exit 1
+pass="${args[1]}"; validateArg "password" "$pass" "$rePass" || exit 1
+
+if [ "${args[2]}" == "e" ]; then
+    chpasswdOptions="-e"
+    skipIndex=1
+fi
+
+uid="${args[$((skipIndex+2))]}"; validateArg "UID" "$uid" "$reUid" || exit 1
+gid="${args[$((skipIndex+3))]}"; validateArg "GID" "$gid" "$reGid" || exit 1
+dir="${args[$((skipIndex+4))]}"; validateArg "dirs" "$dir" "$reDir" || exit 1
+
+if getent passwd "$user" > /dev/null; then
+    log "WARNING: User \"$user\" already exists. Skipping."
+    exit 0
+fi
+
+if [ -n "$uid" ]; then
+    useraddOptions+=(--non-unique --uid "$uid")
+fi
+
+if [ -n "$gid" ]; then
+    if ! getent group "$gid" > /dev/null; then
+        groupadd --gid "$gid" "group_$gid"
+    fi
+
+    useraddOptions+=(--gid "$gid")
+fi
+
+log "useradd ${useraddOptions[@]} $user"
+useradd "${useraddOptions[@]}" "$user"
+mkdir -p "/home/$user"
+chown root:root "/home/$user"
+chmod 755 "/home/$user"
+
+# Retrieving user id to use it in chown commands instead of the user name
+# to avoid problems on alpine when the user name contains a '.'
+uid="$(id -u "$user")"
+
+if [ -n "$pass" ]; then
+    echo "$user:$pass" | chpasswd $chpasswdOptions
+else
+    usermod -p "*" "$user" # disabled password
+fi
+
+# Add SSH keys to authorized_keys with valid permissions
+if [ -d "/home/$user/.ssh/keys" ]; then
+    for publickey in "/home/$user/.ssh/keys"/*; do
+        (cat "${publickey}"; echo) >> "/home/$user/.ssh/authorized_keys"
+    done
+    chown "$uid" "/home/$user/.ssh/authorized_keys"
+    chmod 600 "/home/$user/.ssh/authorized_keys"
+fi
+
+# Make sure dirs exists
+if [ -n "$dir" ]; then
+    IFS=',' read -ra dirArgs <<< "$dir"
+    for dirPath in "${dirArgs[@]}"; do
+        dirPath="/home/$user/$dirPath"
+        if [ ! -d "$dirPath" ]; then
+            log "Creating directory: $dirPath"
+            mkdir -p "$dirPath"
+            chown -R "$uid:$gid" "$dirPath"
+        else
+            log "Directory already exists: $dirPath"
+        fi
+    done
+# if dirs are not specified then create a default data one
+else
+
+fi
+
+###### MODS for shared sftp-data bind mounts #####
+# mount user dir
+sftpDataPath="/sftp-data"
+userDataDir="$dataPath/users/$user"
+homeDataMount="/home/$user/data"
+
+# always create a data dir by default in the users home.
+if [ ! -d "$homeDataDir" ]; then
+    log "- mkdir -p $homeDataDir"
+    mkdir -p "$homeDataDir"
+    chown -R "$uid:$gid" "$homeDataDir"
+fi
+#mod user so the data dir is their home
+usermod -d /data "$user"
+
+#if the data path has been mapped in as volume then it will exists and do our special logic
+if [ -d "$dataPath" ]; then
+    log "- has $dataPath"
+    #ensure main dataPath is owned by users (100) group and has good perimssions
+    #chown :users "$dataPath"
+    #chmod 775 "$dataPath"
+
+    if [ ! -d "$userDataDir" ]; then
+        log "- mkdir -p $userDataDir"
+        mkdir -p "$userDataDir"
+    fi
+
+    log "- mount --bind $userDataDir $homeDataDir"
+    # Remember permissions, you may have to fix them:
+    # chown -R :100 "$userDataDir"
+    mount --bind "$userDataDir" "$homeDataDir"
+    #make sure permissions are good on users dir
+    chown -R :users "$userDataDir"
+
+    # for users mount the data/users/%u directory
+    if [ "$gid" = "100" ]; then
+        if [ ! -d "$userDataDir" ]; then
+            log "- mkdir -p $userDataDir"
+            mkdir -p "$userDataDir"
+        fi
+        log "- mount --bind $userDataDir $homeDataDir"
+        # Remember permissions, you may have to fix them:
+        # chown -R :100 "$userDataDir"
+        mount --bind "$userDataDir" "$homeDataDir"
+        #make sure permissions are good on users dir
+        chown -R :users "$userDataDir"
+    fi
+    # for sudo (27) admins mount the data directory
+    if [ "$gid" = "27" ] ; then
+        # chown -R :100 "$userDataDir"
+        mount --bind "$dataPath" "$homeDataDir"
+        #also make sure that sudo admins are assigned to the user group
+        usermod -g users "$user"
+        usermod -a -G 27 "$user"
+    fi
+    #chown -R :100 "$dataPath"
+    #chmod -R 775 "$dataPath"
+fi
+
+# Source custom scripts, if any
+if [ -x /etc/sftp/user-setup.sh ]; then
+    log "Running user-setup.sh ..."
+
+    /etc/sftp/user-setup.sh "$user" "$uid" "$gid"
+
+fi