restrictshell/templates/sv_membersh.pl

#!/usr/bin/perl
# This file is part of the Savane project
# <http://gna.org/projects/savane/>
#
# $Id$
#
# Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org>
#                         Mathieu Roy <yeupou--gnu.org>
#                         Timothee Besset <ttimo--ttimo.net>
#
# The Savane project is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# The Savane project is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with the Savane project; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
#

# Login shell for people who should only have limited access.
# You probably should add/modify the following option of your sshd_config
# like below (see sshd_config manual for more details):
#     PermitEmptyPasswords no
#     PasswordAuthentication no
#     AllowTcpForwarding no

use strict;

$ENV{PATH}="/bin:/usr/bin";
$ENV{CVSEDITOR}="/bin/false";

# Import conf options
our $use_cvs = "0";
our $bin_cvs = "/usr/bin/cvs";
 
our $use_scp = "0";
our $bin_scp = "/usr/bin/scp";
our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)";

our $use_sftp = "0";
our $bin_sftp = "/usr/lib/sftp-server";
our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)";

our $use_rsync = "0";
our $bin_rsync = "/usr/bin/rsync";
our $regexp_rsync = "^rsync --server";
our $regexp_dir_rsync = "^(/upload)|(/var/ftp)";

our $use_svn = "0";
our $bin_svn = "/usr/bin/svnserve";
our $regexp_svn = "^svnserve -t";
our @prepend_args_svn = ( '-r', '/svn' );

our $use_git = "0";
our $bin_git = "/usr/bin/git-shell";

our $use_pkgsubmit = "0";
our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm |^/usr/local/bin/submit_package ";
our $bin_pkgsubmit = "/usr/local/bin/submit_package";

our $use_maintdb = "0";
our $regexp_maintdb = "^/usr/local/bin/wrapper.maintdb ";
our $bin_maintdb = "/usr/local/bin/wrapper.maintdb";

our $use_upload_bin = "0";
our $regexp_upload_bin = "^/usr/local/bin/wrapper.upload-bin ";
our $bin_upload_bin = "/usr/local/bin/wrapper.upload-bin";

# Open configuration file
if (-e "/etc/membersh-conf.pl") {
    do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting";
} else {
    die "System misconfiguration, contact administrators. Exiting";
} 

# A configuration file /etc/membersh-conf.pl must exists and be executable.
# Here come an example:
#
# $use_cvs = "1";
# $bin_cvs = "/usr/bin/cvs";
# 
# $use_scp = "1";
# $bin_scp = "/usr/bin/scp";
# $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)";

# $use_sftp = "1";
# $bin_sftp = "/usr/lib/sftp-server";
# $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)";
#
# $use_rsync = "1";
# $bin_rsync = "/usr/bin/rsync";
# $regexp_rsync = "^rsync --server";
# $regexp_dir_rsync = "^(/upload)|(/var/ftp)";
#
# $use_pkgsubmit = "1";
#
# $use_maintdb = "1";
#
# $use_upload_bin = "1";


if ($#ARGV == 1 and $ARGV[0] eq "-c") {
    if ($use_cvs and $ARGV[1] eq 'cvs server') {
        
        # Run a cvs server command
        exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!");

    } elsif ($use_scp and 
             $ARGV[1] =~ m:$regexp_scp:) {

        # Authorize scp command
        my (@args) = split(' ', $ARGV[1]);
        shift(@args);             
        exec($bin_scp, @args);

    } elsif ($use_sftp and 
             $ARGV[1] =~ m:$regexp_sftp:) {
        
        # Authorize sftp login
        exec($bin_sftp) or die("Failed to exec $bin_sftp: $!");

    } elsif ($use_rsync and 
             $ARGV[1] =~ m:$regexp_rsync:) {

        my ($rsync, @rest) = split(' ', $ARGV[1]);
        my ($dir) = $rest[$#rest];

        # Authorize rsync command, if the directory is acceptable
        if ($dir =~ m:$regexp_dir_rsync:) {
            exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!");
        } 
        
    } elsif ($use_svn and
             $ARGV[1] =~ m:$regexp_svn:) {
        
        # authorize svnserve in tunnel mode, with the svn root prepended
        my (@args) = @prepend_args_svn;
        my (@args_user) = split(' ', $ARGV[1]);
        shift( @args_user );
        push( @args, @args_user );
        exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!");

    } elsif ($use_git and $ARGV[1] =~ m:^git-.+:) {
        
        # Delegate filtering to git-shell
        exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!");
    } elsif ($use_pkgsubmit and 
             $ARGV[1] =~ m:$regexp_pkgsubmit:) {

        my ($createsrpm, @rest) = split(' ', $ARGV[1]);

        exec($bin_pkgsubmit, @rest) or die("Failed to exec $bin_pkgsubmit: $!");
    } elsif ($use_maintdb and
        $ARGV[1] =~ m:$regexp_maintdb:) {
        my ($maintdb, @rest) = split(' ', $ARGV[1]);
        exec($bin_maintdb, @rest) or die("Failed to exec $bin_maintdb: $!");
    } elsif ($use_upload_bin and
        $ARGV[1] =~ m:$regexp_upload_bin:) {
        my ($upload_bin, @rest) = split(' ', $ARGV[1]);
        exec($bin_upload_bin, @rest) or die("Failed to exec $bin_upload_bin: $!");
    }
}

unless (-e "/etc/membersh-errormsg") {
    if ($ARGV) {
        print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n";
    } else {
        print STDERR "You tried to run a interactive shell.\n"
    }
    print STDERR "Sorry, you are not allowed to execute that command.\n";
    print STDERR "You are member of the following groups :\n";
    print STDERR qx(groups);    
} else {
    open(ERRORMSG, "< /etc/membersh-errormsg");
    while (<ERRORMSG>) {
        print STDERR $_;
    }
    close(ERRORMSG);
}
exit(1);
1	#!/usr/bin/perl
2	# This file is part of the Savane project
3	# <http://gna.org/projects/savane/>
4	#
5	# $Id$
6	#
7	# Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org>
8	# Mathieu Roy <yeupou--gnu.org>
9	# Timothee Besset <ttimo--ttimo.net>
10	#
11	# The Savane project is free software; you can redistribute it and/or
12	# modify it under the terms of the GNU General Public License
13	# as published by the Free Software Foundation; either version 2
14	# of the License, or (at your option) any later version.
15	#
16	# The Savane project is distributed in the hope that it will be useful,
17	# but WITHOUT ANY WARRANTY; without even the implied warranty of
18	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19	# GNU General Public License for more details.
20	#
21	# You should have received a copy of the GNU General Public License
22	# along with the Savane project; if not, write to the Free Software
23	# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
24	#
25	#
26
27	# Login shell for people who should only have limited access.
28	# You probably should add/modify the following option of your sshd_config
29	# like below (see sshd_config manual for more details):
30	# PermitEmptyPasswords no
31	# PasswordAuthentication no
32	# AllowTcpForwarding no
33
34	use strict;
35
36	$ENV{PATH}="/bin:/usr/bin";
37	$ENV{CVSEDITOR}="/bin/false";
38
39	# Import conf options
40	our $use_cvs = "0";
41	our $bin_cvs = "/usr/bin/cvs";
42
43	our $use_scp = "0";
44	our $bin_scp = "/usr/bin/scp";
45	our $regexp_scp = "^(scp .-t /upload)\|(scp .-t /var/ftp)";
46
47	our $use_sftp = "0";
48	our $bin_sftp = "/usr/lib/sftp-server";
49	our $regexp_sftp = "^(/usr/lib/ssh/sftp-server\|/usr/lib/sftp-server\|/usr/libexec/sftp-server\|/usr/lib/openssh/sftp-server)";
50
51	our $use_rsync = "0";
52	our $bin_rsync = "/usr/bin/rsync";
53	our $regexp_rsync = "^rsync --server";
54	our $regexp_dir_rsync = "^(/upload)\|(/var/ftp)";
55
56	our $use_svn = "0";
57	our $bin_svn = "/usr/bin/svnserve";
58	our $regexp_svn = "^svnserve -t";
59	our @prepend_args_svn = ( '-r', '/svn' );
60
61	our $use_git = "0";
62	our $bin_git = "/usr/bin/git-shell";
63
64	our $use_pkgsubmit = "0";
65	our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm \|^/usr/local/bin/submit_package ";
66	our $bin_pkgsubmit = "/usr/local/bin/submit_package";
67
68	our $use_maintdb = "0";
69	our $regexp_maintdb = "^/usr/local/bin/wrapper.maintdb ";
70	our $bin_maintdb = "/usr/local/bin/wrapper.maintdb";
71
72	our $use_upload_bin = "0";
73	our $regexp_upload_bin = "^/usr/local/bin/wrapper.upload-bin ";
74	our $bin_upload_bin = "/usr/local/bin/wrapper.upload-bin";
75
76	# Open configuration file
77	if (-e "/etc/membersh-conf.pl") {
78	do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting";
79	} else {
80	die "System misconfiguration, contact administrators. Exiting";
81	}
82
83	# A configuration file /etc/membersh-conf.pl must exists and be executable.
84	# Here come an example:
85	#
86	# $use_cvs = "1";
87	# $bin_cvs = "/usr/bin/cvs";
88	#
89	# $use_scp = "1";
90	# $bin_scp = "/usr/bin/scp";
91	# $regexp_scp = "^scp .*-t (/upload)\|(/var/ftp)";
92
93	# $use_sftp = "1";
94	# $bin_sftp = "/usr/lib/sftp-server";
95	# $regexp_sftp = "^(/usr/lib/ssh/sftp-server\|/usr/lib/sftp-server\|/usr/libexec/sftp-server)";
96	#
97	# $use_rsync = "1";
98	# $bin_rsync = "/usr/bin/rsync";
99	# $regexp_rsync = "^rsync --server";
100	# $regexp_dir_rsync = "^(/upload)\|(/var/ftp)";
101	#
102	# $use_pkgsubmit = "1";
103	#
104	# $use_maintdb = "1";
105	#
106	# $use_upload_bin = "1";
107
108
109	if ($#ARGV == 1 and $ARGV[0] eq "-c") {
110	if ($use_cvs and $ARGV[1] eq 'cvs server') {
111
112	# Run a cvs server command
113	exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!");
114
115	} elsif ($use_scp and
116	$ARGV[1] =~ m:$regexp_scp:) {
117
118	# Authorize scp command
119	my (@args) = split(' ', $ARGV[1]);
120	shift(@args);
121	exec($bin_scp, @args);
122
123	} elsif ($use_sftp and
124	$ARGV[1] =~ m:$regexp_sftp:) {
125
126	# Authorize sftp login
127	exec($bin_sftp) or die("Failed to exec $bin_sftp: $!");
128
129	} elsif ($use_rsync and
130	$ARGV[1] =~ m:$regexp_rsync:) {
131
132	my ($rsync, @rest) = split(' ', $ARGV[1]);
133	my ($dir) = $rest[$#rest];
134
135	# Authorize rsync command, if the directory is acceptable
136	if ($dir =~ m:$regexp_dir_rsync:) {
137	exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!");
138	}
139
140	} elsif ($use_svn and
141	$ARGV[1] =~ m:$regexp_svn:) {
142
143	# authorize svnserve in tunnel mode, with the svn root prepended
144	my (@args) = @prepend_args_svn;
145	my (@args_user) = split(' ', $ARGV[1]);
146	shift( @args_user );
147	push( @args, @args_user );
148	exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!");
149
150	} elsif ($use_git and $ARGV[1] =~ m:^git-.+:) {
151
152	# Delegate filtering to git-shell
153	exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!");
154	} elsif ($use_pkgsubmit and
155	$ARGV[1] =~ m:$regexp_pkgsubmit:) {
156
157	my ($createsrpm, @rest) = split(' ', $ARGV[1]);
158
159	exec($bin_pkgsubmit, @rest) or die("Failed to exec $bin_pkgsubmit: $!");
160	} elsif ($use_maintdb and
161	$ARGV[1] =~ m:$regexp_maintdb:) {
162	my ($maintdb, @rest) = split(' ', $ARGV[1]);
163	exec($bin_maintdb, @rest) or die("Failed to exec $bin_maintdb: $!");
164	} elsif ($use_upload_bin and
165	$ARGV[1] =~ m:$regexp_upload_bin:) {
166	my ($upload_bin, @rest) = split(' ', $ARGV[1]);
167	exec($bin_upload_bin, @rest) or die("Failed to exec $bin_upload_bin: $!");
168	}
169	}
170
171	unless (-e "/etc/membersh-errormsg") {
172	if ($ARGV) {
173	print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n";
174	} else {
175	print STDERR "You tried to run a interactive shell.\n"
176	}
177	print STDERR "Sorry, you are not allowed to execute that command.\n";
178	print STDERR "You are member of the following groups :\n";
179	print STDERR qx(groups);
180	} else {
181	open(ERRORMSG, "< /etc/membersh-errormsg");
182	while (<ERRORMSG>) {
183	print STDERR $_;
184	}
185	close(ERRORMSG);
186	}
187	exit(1);