Should work now

4 years ago · b4264bccfa
parent fef1685786
commit b4264bccfa
5 changed files with 249 additions and 1 deletions
--- a/15
+++ b/15
@ -0,0 +1,15 @@
 FROM alpine:latest
 # Steps done in one RUN layer:
 # - Install packages
 # - Fix default group (1000 does not exist)
 # - OpenSSH needs /var/run/sshd to run
 # - Remove generic host keys, entrypoint generates unique keys
 RUN apk add --no-cache openssh openssh-sftp-server && \
    sed -i 's/GROUP=1000/GROUP=100/' /etc/default/useradd && \
    mkdir -p /var/run/sshd && \
    rm -f /etc/ssh/ssh_host_*key*
 COPY root/ /
 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,7 +2,8 @@ version: "3"
 services:
  sftp:
-    image: ${SFTP_IMG:-atmoz/sftp}:${SFTP_TAG:-latest}
+    #image: ${SFTP_IMG:-atmoz/sftp}:${SFTP_TAG:-latest}
    build: .
    container_name: ${SFTP_CONTAINER_NAME:-sftp}
    restart: ${SFTP_RESTART:-unless-stopped}
    volumes:
--- a/root/config/sshd_config
+++ b/root/config/sshd_config
@ -0,0 +1,22 @@
 # Secure defaults
 # See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
 Protocol 2
 HostKey /etc/ssh/ssh_host_ed25519_key
 HostKey /etc/ssh/ssh_host_rsa_key
 # Faster connection
 # See: https://github.com/atmoz/sftp/issues/11
 UseDNS no
 # Limited access
 PermitRootLogin no
 X11Forwarding no
 AllowTcpForwarding no
 # Force sftp and chroot jail
 Subsystem sftp internal-sftp
 ForceCommand internal-sftp
 ChrootDirectory %h
 # Enable this for more logs
 #LogLevel VERBOSE
--- a/root/entrypoint.sh
+++ b/root/entrypoint.sh
@ -0,0 +1,97 @@
 #!/bin/bash
 set -Eeo pipefail
 if [ ! -e /etc/openvpn/sshd_config ]; then
    log "Configuration file sshd_config not found. Initializing..."
    cp /config/sshd_config /etc/ssh/sshd_config
 fi
 # shellcheck disable=2154
 trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
 reArgsMaybe="^[^:[:space:]]+:.*$" # Smallest indication of attempt to use argument
 reArgSkip='^([[:blank:]]*#.*|[[:blank:]]*)$' # comment or empty line
 # Paths
 userConfPath="/etc/sftp/users.conf"
 userConfFinalPath="/var/run/sftp/users.conf"
 function log() {
    echo "[$0] $*" >&2
 }
 # Allow running other programs, e.g. bash
 if [[ -z "$1" || "$1" =~ $reArgsMaybe ]]; then
    startSshd=true
 else
    startSshd=false
 fi
 # Create users only on first run
 if [ ! -f "$userConfFinalPath" ]; then
    mkdir -p "$(dirname $userConfFinalPath)"
    if [ -f "$userConfPath" ]; then
        # Append mounted config to final config
        grep -v -E "$reArgSkip" < "$userConfPath" > "$userConfFinalPath"
    fi
    if $startSshd; then
        # Append users from arguments to final config
        for user in "$@"; do
            echo "$user" >> "$userConfFinalPath"
        done
    fi
    if [ -n "$SFTP_USERS" ]; then
        # Append users from environment variable to final config
        IFS=" " read -r -a usersFromEnv <<< "$SFTP_USERS"
        for user in "${usersFromEnv[@]}"; do
            echo "$user" >> "$userConfFinalPath"
        done
    fi
    # Check that we have users in config
    if [ -f "$userConfFinalPath" ] && [ "$(wc -l < "$userConfFinalPath")" -gt 0 ]; then
        # Import users from final conf file
        while IFS= read -r user || [[ -n "$user" ]]; do
            create-sftp-user.sh "$user"
        done < "$userConfFinalPath"
    elif $startSshd; then
        log "FATAL: No users provided!"
        exit 3
    fi
    # Generate unique ssh keys for this container, if needed
    if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
        ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
    fi
    if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
        ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
    fi
    # Restrict access from other users
    chmod 600 /etc/ssh/ssh_host_ed25519_key || true
    chmod 600 /etc/ssh/ssh_host_rsa_key || true
 fi
 # Source custom scripts, if any
 if [ -d /etc/sftp.d ]; then
    for f in /etc/sftp.d/*; do
        if [ -x "$f" ]; then
            log "Running $f ..."
            $f
        else
            log "Could not run $f, because it's missing execute permission (+x)."
        fi
    done
    unset f
 fi
 if $startSshd; then
    log "Executing sshd"
    exec /usr/sbin/sshd -D -e
 else
    log "Executing $*"
    exec "$@"
 fi
--- a/root/usr/local/bin/create-sftp-user.sh
+++ b/root/usr/local/bin/create-sftp-user.sh
@ -0,0 +1,113 @@
 #!/bin/bash
 set -Eeo pipefail
 # shellcheck disable=2154
 trap 's=$?; echo "$0: Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
 # Extended regular expression (ERE) for arguments
 reUser='[A-Za-z0-9._][A-Za-z0-9._-]{0,31}' # POSIX.1-2008
 rePass='[^:]{0,255}'
 reUid='[[:digit:]]*'
 reGid='[[:digit:]]*'
 reDir='[^:]*'
 #reArgs="^($reUser)(:$rePass)(:e)?(:$reUid)?(:$reGid)?(:$reDir)?$"
 function log() {
    echo "[$0] $*"
 }
 function validateArg() {
    name="$1"
    val="$2"
    re="$3"
    if [[ "$val" =~ ^$re$ ]]; then
        return 0
    else
        log "ERROR: Invalid $name \"$val\", do not match required regex pattern: $re"
        return 1
    fi
 }
 log "Parsing user data: \"$1\""
 IFS=':' read -ra args <<< "$1"
 skipIndex=0
 chpasswdOptions=""
 useraddOptions=(--no-user-group)
 user="${args[0]}"; validateArg "username" "$user" "$reUser" || exit 1
 pass="${args[1]}"; validateArg "password" "$pass" "$rePass" || exit 1
 if [ "${args[2]}" == "e" ]; then
    chpasswdOptions="-e"
    skipIndex=1
 fi
 uid="${args[$((skipIndex+2))]}"; validateArg "UID" "$uid" "$reUid" || exit 1
 gid="${args[$((skipIndex+3))]}"; validateArg "GID" "$gid" "$reGid" || exit 1
 dir="${args[$((skipIndex+4))]}"; validateArg "dirs" "$dir" "$reDir" || exit 1
 if getent passwd "$user" > /dev/null; then
    log "WARNING: User \"$user\" already exists. Skipping."
    exit 0
 fi
 if [ -n "$uid" ]; then
    useraddOptions+=(--non-unique --uid "$uid")
 fi
 if [ -n "$gid" ]; then
    if ! getent group "$gid" > /dev/null; then
        groupadd --gid "$gid" "group_$gid"
    fi
    useraddOptions+=(--gid "$gid")
 fi
 useradd "${useraddOptions[@]}" "$user"
 mkdir -p "/home/$user"
 chown root:root "/home/$user"
 chmod 755 "/home/$user"
 # Retrieving user id to use it in chown commands instead of the user name
 # to avoid problems on alpine when the user name contains a '.'
 uid="$(id -u "$user")"
 if [ -n "$pass" ]; then
    echo "$user:$pass" | chpasswd $chpasswdOptions
 else
    usermod -p "*" "$user" # disabled password
 fi
 # Add SSH keys to authorized_keys with valid permissions
 userKeysQueuedDir="/home/$user/.ssh/keys"
 if [ -d "$userKeysQueuedDir" ]; then
    userKeysAllowedFileTmp="$(mktemp)"
    userKeysAllowedFile="/home/$user/.ssh/authorized_keys"
    for publickey in "$userKeysQueuedDir"/*; do
        cat "$publickey" >> "$userKeysAllowedFileTmp"
    done
    # Remove duplicate keys
    sort < "$userKeysAllowedFileTmp" | uniq > "$userKeysAllowedFile"
    chown "$uid" "$userKeysAllowedFile"
    chmod 600 "$userKeysAllowedFile"
 fi
 # Make sure dirs exists
 if [ -n "$dir" ]; then
    IFS=',' read -ra dirArgs <<< "$dir"
    for dirPath in "${dirArgs[@]}"; do
        dirPath="/home/$user/$dirPath"
        if [ ! -d "$dirPath" ]; then
            log "Creating directory: $dirPath"
            mkdir -p "$dirPath"
            chown -R "$uid:users" "$dirPath"
        else
            log "Directory already exists: $dirPath"
        fi
    done
 fi