1 |
#!/usr/bin/perl |
2 |
# This file is part of the Savane project |
3 |
# <http://gna.org/projects/savane/> |
4 |
# |
5 |
# $Id$ |
6 |
# |
7 |
# Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org> |
8 |
# Mathieu Roy <yeupou--gnu.org> |
9 |
# Timothee Besset <ttimo--ttimo.net> |
10 |
# |
11 |
# The Savane project is free software; you can redistribute it and/or |
12 |
# modify it under the terms of the GNU General Public License |
13 |
# as published by the Free Software Foundation; either version 2 |
14 |
# of the License, or (at your option) any later version. |
15 |
# |
16 |
# The Savane project is distributed in the hope that it will be useful, |
17 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
18 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
19 |
# GNU General Public License for more details. |
20 |
# |
21 |
# You should have received a copy of the GNU General Public License |
22 |
# along with the Savane project; if not, write to the Free Software |
23 |
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
24 |
# |
25 |
# |
26 |
|
27 |
# Login shell for people who should only have limited access. |
28 |
# You probably should add/modify the following option of your sshd_config |
29 |
# like below (see sshd_config manual for more details): |
30 |
# PermitEmptyPasswords no |
31 |
# PasswordAuthentication no |
32 |
# AllowTcpForwarding no |
33 |
|
34 |
use strict; |
35 |
|
36 |
$ENV{PATH}="/bin:/usr/bin"; |
37 |
$ENV{CVSEDITOR}="/bin/false"; |
38 |
|
39 |
# Import conf options |
40 |
our $use_cvs = "0"; |
41 |
our $bin_cvs = "/usr/bin/cvs"; |
42 |
|
43 |
our $use_scp = "0"; |
44 |
our $bin_scp = "/usr/bin/scp"; |
45 |
our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)"; |
46 |
|
47 |
our $use_sftp = "0"; |
48 |
our $bin_sftp = "/usr/lib/sftp-server"; |
49 |
our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)"; |
50 |
|
51 |
our $use_rsync = "0"; |
52 |
our $bin_rsync = "/usr/bin/rsync"; |
53 |
our $regexp_rsync = "^rsync --server"; |
54 |
our $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; |
55 |
|
56 |
our $use_svn = "0"; |
57 |
our $bin_svn = "/usr/bin/svnserve"; |
58 |
our $regexp_svn = "^svnserve -t"; |
59 |
our @prepend_args_svn = ( '-r', '/svn' ); |
60 |
|
61 |
our $use_git = "0"; |
62 |
our $bin_git = "/usr/bin/git-shell"; |
63 |
|
64 |
our $use_pkgsubmit = "0"; |
65 |
our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm "; |
66 |
our $bin_pkgsubmit = "/usr/share/repsys/create-srpm"; |
67 |
|
68 |
# Open configuration file |
69 |
if (-e "/etc/membersh-conf.pl") { |
70 |
do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting"; |
71 |
} else { |
72 |
die "System misconfiguration, contact administrators. Exiting"; |
73 |
} |
74 |
|
75 |
# A configuration file /etc/membersh-conf.pl must exists and be executable. |
76 |
# Here come an example: |
77 |
# |
78 |
# $use_cvs = "1"; |
79 |
# $bin_cvs = "/usr/bin/cvs"; |
80 |
# |
81 |
# $use_scp = "1"; |
82 |
# $bin_scp = "/usr/bin/scp"; |
83 |
# $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)"; |
84 |
|
85 |
# $use_sftp = "1"; |
86 |
# $bin_sftp = "/usr/lib/sftp-server"; |
87 |
# $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)"; |
88 |
# |
89 |
# $use_rsync = "1"; |
90 |
# $bin_rsync = "/usr/bin/rsync"; |
91 |
# $regexp_rsync = "^rsync --server"; |
92 |
# $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; |
93 |
# |
94 |
# $use_pkgsubmit = "1"; |
95 |
|
96 |
|
97 |
if ($#ARGV == 1 and $ARGV[0] eq "-c") { |
98 |
if ($use_cvs and $ARGV[1] eq 'cvs server') { |
99 |
|
100 |
# Run a cvs server command |
101 |
exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!"); |
102 |
|
103 |
} elsif ($use_scp and |
104 |
$ARGV[1] =~ m:$regexp_scp:) { |
105 |
|
106 |
# Authorize scp command |
107 |
my (@args) = split(' ', $ARGV[1]); |
108 |
shift(@args); |
109 |
exec($bin_scp, @args); |
110 |
|
111 |
} elsif ($use_sftp and |
112 |
$ARGV[1] =~ m:$regexp_sftp:) { |
113 |
|
114 |
# Authorize sftp login |
115 |
exec($bin_sftp) or die("Failed to exec $bin_sftp: $!"); |
116 |
|
117 |
} elsif ($use_rsync and |
118 |
$ARGV[1] =~ m:$regexp_rsync:) { |
119 |
|
120 |
my ($rsync, @rest) = split(' ', $ARGV[1]); |
121 |
my ($dir) = $rest[$#rest]; |
122 |
|
123 |
# Authorize rsync command, if the directory is acceptable |
124 |
if ($dir =~ m:$regexp_dir_rsync:) { |
125 |
exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!"); |
126 |
} |
127 |
|
128 |
} elsif ($use_svn and |
129 |
$ARGV[1] =~ m:$regexp_svn:) { |
130 |
|
131 |
# authorize svnserve in tunnel mode, with the svn root prepended |
132 |
my (@args) = @prepend_args_svn; |
133 |
my (@args_user) = split(' ', $ARGV[1]); |
134 |
shift( @args_user ); |
135 |
push( @args, @args_user ); |
136 |
exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!"); |
137 |
|
138 |
} elsif ($use_git and $ARGV[1] =~ m:git-.+:) { |
139 |
|
140 |
# Delegate filtering to git-shell |
141 |
exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!"); |
142 |
} elsif ($use_pkgsubmit and |
143 |
$ARGV[1] =~ m:$regexp_pkgsubmit:) { |
144 |
|
145 |
my ($createsrpm, @rest) = split(' ', $ARGV[1]); |
146 |
|
147 |
exec($bin_pkgsubmit, @rest) or die("Failed to exec $bin_pkgsubmit: $!"); |
148 |
} |
149 |
} |
150 |
|
151 |
unless (-e "/etc/membersh-errormsg") { |
152 |
print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; |
153 |
print STDERR "Sorry, you are not allowed to execute that command.\n"; |
154 |
} else { |
155 |
open(ERRORMSG, "< /etc/membersh-errormsg"); |
156 |
while (<ERRORMSG>) { |
157 |
print STDERR $_; |
158 |
} |
159 |
close(ERRORMSG); |
160 |
} |
161 |
exit(1); |