/[adm]/puppet/modules/restrictshell/templates/sv_membersh.pl
ViewVC logotype

Annotation of /puppet/modules/restrictshell/templates/sv_membersh.pl

Parent Directory Parent Directory | Revision Log Revision Log


Revision 820 - (hide annotations) (download)
Mon Jan 17 18:38:36 2011 UTC (13 years, 3 months ago) by boklm
File MIME type: text/plain
File size: 5028 byte(s)
use create-srpm for now
1 boklm 78 #!/usr/bin/perl
2     # This file is part of the Savane project
3     # <http://gna.org/projects/savane/>
4     #
5     # $Id$
6     #
7     # Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org>
8     # Mathieu Roy <yeupou--gnu.org>
9     # Timothee Besset <ttimo--ttimo.net>
10     #
11     # The Savane project is free software; you can redistribute it and/or
12     # modify it under the terms of the GNU General Public License
13     # as published by the Free Software Foundation; either version 2
14     # of the License, or (at your option) any later version.
15     #
16     # The Savane project is distributed in the hope that it will be useful,
17     # but WITHOUT ANY WARRANTY; without even the implied warranty of
18     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19     # GNU General Public License for more details.
20     #
21     # You should have received a copy of the GNU General Public License
22     # along with the Savane project; if not, write to the Free Software
23     # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24     #
25     #
26    
27     # Login shell for people who should only have limited access.
28     # You probably should add/modify the following option of your sshd_config
29     # like below (see sshd_config manual for more details):
30     # PermitEmptyPasswords no
31     # PasswordAuthentication no
32     # AllowTcpForwarding no
33    
34     use strict;
35    
36     $ENV{PATH}="/bin:/usr/bin";
37     $ENV{CVSEDITOR}="/bin/false";
38    
39     # Import conf options
40     our $use_cvs = "0";
41     our $bin_cvs = "/usr/bin/cvs";
42    
43     our $use_scp = "0";
44     our $bin_scp = "/usr/bin/scp";
45     our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)";
46    
47     our $use_sftp = "0";
48     our $bin_sftp = "/usr/lib/sftp-server";
49     our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)";
50    
51     our $use_rsync = "0";
52     our $bin_rsync = "/usr/bin/rsync";
53     our $regexp_rsync = "^rsync --server";
54     our $regexp_dir_rsync = "^(/upload)|(/var/ftp)";
55    
56     our $use_svn = "0";
57     our $bin_svn = "/usr/bin/svnserve";
58     our $regexp_svn = "^svnserve -t";
59     our @prepend_args_svn = ( '-r', '/svn' );
60    
61     our $use_git = "0";
62     our $bin_git = "/usr/bin/git-shell";
63    
64 boklm 220 our $use_pkgsubmit = "0";
65 boklm 819 our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm |^/usr/local/bin/submit_package ";
66 boklm 820 our $bin_pkgsubmit = "/usr/share/repsys/create-srpm";
67 boklm 220
68 boklm 78 # Open configuration file
69     if (-e "/etc/membersh-conf.pl") {
70     do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting";
71     } else {
72     die "System misconfiguration, contact administrators. Exiting";
73     }
74    
75     # A configuration file /etc/membersh-conf.pl must exists and be executable.
76     # Here come an example:
77     #
78     # $use_cvs = "1";
79     # $bin_cvs = "/usr/bin/cvs";
80     #
81     # $use_scp = "1";
82     # $bin_scp = "/usr/bin/scp";
83     # $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)";
84    
85     # $use_sftp = "1";
86     # $bin_sftp = "/usr/lib/sftp-server";
87     # $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)";
88     #
89     # $use_rsync = "1";
90     # $bin_rsync = "/usr/bin/rsync";
91     # $regexp_rsync = "^rsync --server";
92     # $regexp_dir_rsync = "^(/upload)|(/var/ftp)";
93 boklm 220 #
94     # $use_pkgsubmit = "1";
95 boklm 78
96    
97     if ($#ARGV == 1 and $ARGV[0] eq "-c") {
98     if ($use_cvs and $ARGV[1] eq 'cvs server') {
99    
100     # Run a cvs server command
101     exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!");
102    
103     } elsif ($use_scp and
104     $ARGV[1] =~ m:$regexp_scp:) {
105    
106     # Authorize scp command
107     my (@args) = split(' ', $ARGV[1]);
108     shift(@args);
109     exec($bin_scp, @args);
110    
111     } elsif ($use_sftp and
112     $ARGV[1] =~ m:$regexp_sftp:) {
113    
114     # Authorize sftp login
115     exec($bin_sftp) or die("Failed to exec $bin_sftp: $!");
116    
117     } elsif ($use_rsync and
118     $ARGV[1] =~ m:$regexp_rsync:) {
119    
120     my ($rsync, @rest) = split(' ', $ARGV[1]);
121     my ($dir) = $rest[$#rest];
122    
123     # Authorize rsync command, if the directory is acceptable
124     if ($dir =~ m:$regexp_dir_rsync:) {
125     exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!");
126     }
127    
128     } elsif ($use_svn and
129     $ARGV[1] =~ m:$regexp_svn:) {
130    
131     # authorize svnserve in tunnel mode, with the svn root prepended
132     my (@args) = @prepend_args_svn;
133     my (@args_user) = split(' ', $ARGV[1]);
134     shift( @args_user );
135     push( @args, @args_user );
136     exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!");
137    
138     } elsif ($use_git and $ARGV[1] =~ m:git-.+:) {
139    
140     # Delegate filtering to git-shell
141     exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!");
142 boklm 220 } elsif ($use_pkgsubmit and
143     $ARGV[1] =~ m:$regexp_pkgsubmit:) {
144 boklm 78
145 boklm 220 my ($createsrpm, @rest) = split(' ', $ARGV[1]);
146    
147     exec($bin_pkgsubmit, @rest) or die("Failed to exec $bin_pkgsubmit: $!");
148 boklm 78 }
149     }
150    
151     unless (-e "/etc/membersh-errormsg") {
152 misc 452 if ($ARGV) {
153     print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n";
154     } else {
155     print STDERR "You tried to run a interactive shell.\n"
156     }
157 boklm 78 print STDERR "Sorry, you are not allowed to execute that command.\n";
158     } else {
159     open(ERRORMSG, "< /etc/membersh-errormsg");
160     while (<ERRORMSG>) {
161     print STDERR $_;
162     }
163     close(ERRORMSG);
164     }
165     exit(1);

  ViewVC Help
Powered by ViewVC 1.1.30