LibrePortal/scripts/install/manager/install_user_manager.sh
librelad ba385a8b97 fix(manager): marker-guard the manager-user sshd append
install_user_manager appended a 'Match User' block to sshd_config with no
marker guard, unlike the rootless .bashrc block beside it. The enclosing
'if ! userExists' gate hides it today, but a user delete+recreate would append
a second block. Guard on the '### LibrePortal Manager User Start' marker so the
append is idempotent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 15:11:35 +01:00

77 lines
3.6 KiB
Bash
Executable File

#!/bin/bash
installDockerManagerUser()
{
if [[ "$CFG_DOCKER_MANAGER_ENABLED" == "true" ]]; then
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
if ! userExists "$CFG_DOCKER_MANAGER_USER"; then
isHeader "Installing $CFG_DOCKER_MANAGER_USER"
isNotice "User '$CFG_DOCKER_MANAGER_USER' does not exist, starting creation..."
# Create the User Account
local result=$(sudo useradd -m -s /bin/bash "$CFG_DOCKER_MANAGER_USER")
checkSuccess "Adding user via useradd command"
local result=$(echo "$CFG_DOCKER_MANAGER_USER:$CFG_DOCKER_MANAGER_PASS" | sudo chpasswd)
checkSuccess "Setting up login password"
local result=$(sudo -u "$CFG_DOCKER_MANAGER_USER" mkdir -p /home/$CFG_DOCKER_MANAGER_USER/.ssh/)
checkSuccess "Creating /home/$CFG_DOCKER_MANAGER_USER/.ssh folder"
local result=$(sudo -u "$CFG_DOCKER_MANAGER_USER" ssh-keygen -t ed25519 -b 4096 -f "/home/$CFG_DOCKER_MANAGER_USER/.ssh/ssh_key_${CFG_INSTALL_NAME}_${CFG_DOCKER_MANAGER_USER}" -N "passphrase")
checkSuccess "Setting up SSH-Keygen in /home/$CFG_DOCKER_MANAGER_USER/.ssh"
# SSH configuration directory
config_file="/home/$CFG_DOCKER_MANAGER_USER/.ssh/config"
# Check if the config file already exists
if [ -f "$config_file" ]; then
isNotice "The config file already exists. Updating the existing file..."
else
local result=$(createTouch "$config_file" $docker_install_user)
checkSuccess "Creating config file"
local result=$(sudo chmod 600 "$config_file")
checkSuccess "Changing permissions to config file"
fi
# Add the ServerAliveInterval option to the config file
if sudo grep -q "ServerAliveInterval" "$config_file"; then
isNotice "ServerAliveInterval is already configured in the config file."
else
local result=$(echo -e "Host *\n ServerAliveInterval 60" | sudo tee -a "$config_file" >/dev/null)
checkSuccess "Adding ServerAliveInterval to the config file."
fi
local result=$(source ~/.bashrc)
checkSuccess "Reloading .bashrc"
# Marker-guard the append (matching the rootless .bashrc pattern)
# so a re-run or a user delete+recreate can't duplicate the block.
if sudo grep -q "### LibrePortal Manager User Start" "$sshd_config"; then
isNotice "Manager-user SSH server config already present — skipping."
else
local result=$(sudo bash -c "cat >> $sshd_config <<EOL
### LibrePortal Manager User Start
Match User $CFG_DOCKER_MANAGER_USER
ChrootDirectory /home/$CFG_DOCKER_MANAGER_USER/
ForceCommand internal-sftp -d /home/$CFG_DOCKER_MANAGER_USER/
X11Forwarding no
AllowTcpForwarding no
PubkeyAuthentication yes
PasswordAuthentication yes
### LibrePortal Manager User End
EOL")
checkSuccess "Updating SSH Server Configuration for the Manager User."
# Reload SSH Service
local result=$(sudo service ssh reload)
checkSuccess "Reloading SSH Service"
fi
isSuccessful "User '$CFG_DOCKER_MANAGER_USER' with restricted SFTP access to '/home/$CFG_DOCKER_MANAGER_USER' has been set up."
fi
fi
fi
}