/[adm]/puppet/modules/restrictshell/templates/sv_membersh.pl
ViewVC logotype

Contents of /puppet/modules/restrictshell/templates/sv_membersh.pl

Parent Directory Parent Directory | Revision Log Revision Log


Revision 220 - (show annotations) (download)
Wed Nov 10 00:46:53 2010 UTC (13 years, 4 months ago) by boklm
File MIME type: text/plain
File size: 4893 byte(s)
add support for pkgsubmit in restricted shell
1 #!/usr/bin/perl
2 # This file is part of the Savane project
3 # <http://gna.org/projects/savane/>
4 #
5 # $Id$
6 #
7 # Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org>
8 # Mathieu Roy <yeupou--gnu.org>
9 # Timothee Besset <ttimo--ttimo.net>
10 #
11 # The Savane project is free software; you can redistribute it and/or
12 # modify it under the terms of the GNU General Public License
13 # as published by the Free Software Foundation; either version 2
14 # of the License, or (at your option) any later version.
15 #
16 # The Savane project is distributed in the hope that it will be useful,
17 # but WITHOUT ANY WARRANTY; without even the implied warranty of
18 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 # GNU General Public License for more details.
20 #
21 # You should have received a copy of the GNU General Public License
22 # along with the Savane project; if not, write to the Free Software
23 # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24 #
25 #
26
27 # Login shell for people who should only have limited access.
28 # You probably should add/modify the following option of your sshd_config
29 # like below (see sshd_config manual for more details):
30 # PermitEmptyPasswords no
31 # PasswordAuthentication no
32 # AllowTcpForwarding no
33
34 use strict;
35
36 $ENV{PATH}="/bin:/usr/bin";
37 $ENV{CVSEDITOR}="/bin/false";
38
39 # Import conf options
40 our $use_cvs = "0";
41 our $bin_cvs = "/usr/bin/cvs";
42
43 our $use_scp = "0";
44 our $bin_scp = "/usr/bin/scp";
45 our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)";
46
47 our $use_sftp = "0";
48 our $bin_sftp = "/usr/lib/sftp-server";
49 our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)";
50
51 our $use_rsync = "0";
52 our $bin_rsync = "/usr/bin/rsync";
53 our $regexp_rsync = "^rsync --server";
54 our $regexp_dir_rsync = "^(/upload)|(/var/ftp)";
55
56 our $use_svn = "0";
57 our $bin_svn = "/usr/bin/svnserve";
58 our $regexp_svn = "^svnserve -t";
59 our @prepend_args_svn = ( '-r', '/svn' );
60
61 our $use_git = "0";
62 our $bin_git = "/usr/bin/git-shell";
63
64 our $use_pkgsubmit = "0";
65 our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm ";
66 our $bin_pkgsubmit = "/usr/share/repsys/create-srpm";
67
68 # Open configuration file
69 if (-e "/etc/membersh-conf.pl") {
70 do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting";
71 } else {
72 die "System misconfiguration, contact administrators. Exiting";
73 }
74
75 # A configuration file /etc/membersh-conf.pl must exists and be executable.
76 # Here come an example:
77 #
78 # $use_cvs = "1";
79 # $bin_cvs = "/usr/bin/cvs";
80 #
81 # $use_scp = "1";
82 # $bin_scp = "/usr/bin/scp";
83 # $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)";
84
85 # $use_sftp = "1";
86 # $bin_sftp = "/usr/lib/sftp-server";
87 # $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)";
88 #
89 # $use_rsync = "1";
90 # $bin_rsync = "/usr/bin/rsync";
91 # $regexp_rsync = "^rsync --server";
92 # $regexp_dir_rsync = "^(/upload)|(/var/ftp)";
93 #
94 # $use_pkgsubmit = "1";
95
96
97 if ($#ARGV == 1 and $ARGV[0] eq "-c") {
98 if ($use_cvs and $ARGV[1] eq 'cvs server') {
99
100 # Run a cvs server command
101 exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!");
102
103 } elsif ($use_scp and
104 $ARGV[1] =~ m:$regexp_scp:) {
105
106 # Authorize scp command
107 my (@args) = split(' ', $ARGV[1]);
108 shift(@args);
109 exec($bin_scp, @args);
110
111 } elsif ($use_sftp and
112 $ARGV[1] =~ m:$regexp_sftp:) {
113
114 # Authorize sftp login
115 exec($bin_sftp) or die("Failed to exec $bin_sftp: $!");
116
117 } elsif ($use_rsync and
118 $ARGV[1] =~ m:$regexp_rsync:) {
119
120 my ($rsync, @rest) = split(' ', $ARGV[1]);
121 my ($dir) = $rest[$#rest];
122
123 # Authorize rsync command, if the directory is acceptable
124 if ($dir =~ m:$regexp_dir_rsync:) {
125 exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!");
126 }
127
128 } elsif ($use_svn and
129 $ARGV[1] =~ m:$regexp_svn:) {
130
131 # authorize svnserve in tunnel mode, with the svn root prepended
132 my (@args) = @prepend_args_svn;
133 my (@args_user) = split(' ', $ARGV[1]);
134 shift( @args_user );
135 push( @args, @args_user );
136 exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!");
137
138 } elsif ($use_git and $ARGV[1] =~ m:git-.+:) {
139
140 # Delegate filtering to git-shell
141 exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!");
142 } elsif ($use_pkgsubmit and
143 $ARGV[1] =~ m:$regexp_pkgsubmit:) {
144
145 my ($createsrpm, @rest) = split(' ', $ARGV[1]);
146
147 exec($bin_pkgsubmit, @rest) or die("Failed to exec $bin_pkgsubmit: $!");
148 }
149 }
150
151 unless (-e "/etc/membersh-errormsg") {
152 print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n";
153 print STDERR "Sorry, you are not allowed to execute that command.\n";
154 } else {
155 open(ERRORMSG, "< /etc/membersh-errormsg");
156 while (<ERRORMSG>) {
157 print STDERR $_;
158 }
159 close(ERRORMSG);
160 }
161 exit(1);

  ViewVC Help
Powered by ViewVC 1.1.30