1 |
#!/usr/bin/perl |
2 |
# This file is part of the Savane project |
3 |
# <http://gna.org/projects/savane/> |
4 |
# |
5 |
# $Id$ |
6 |
# |
7 |
# Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org> |
8 |
# Mathieu Roy <yeupou--gnu.org> |
9 |
# Timothee Besset <ttimo--ttimo.net> |
10 |
# |
11 |
# The Savane project is free software; you can redistribute it and/or |
12 |
# modify it under the terms of the GNU General Public License |
13 |
# as published by the Free Software Foundation; either version 2 |
14 |
# of the License, or (at your option) any later version. |
15 |
# |
16 |
# The Savane project is distributed in the hope that it will be useful, |
17 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
18 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
19 |
# GNU General Public License for more details. |
20 |
# |
21 |
# You should have received a copy of the GNU General Public License |
22 |
# along with the Savane project; if not, write to the Free Software |
23 |
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
24 |
# |
25 |
# |
26 |
|
27 |
# Login shell for people who should only have limited access. |
28 |
# You probably should add/modify the following option of your sshd_config |
29 |
# like below (see sshd_config manual for more details): |
30 |
# PermitEmptyPasswords no |
31 |
# PasswordAuthentication no |
32 |
# AllowTcpForwarding no |
33 |
|
34 |
use strict; |
35 |
|
36 |
$ENV{PATH}="/bin:/usr/bin"; |
37 |
$ENV{CVSEDITOR}="/bin/false"; |
38 |
|
39 |
# Import conf options |
40 |
our $use_cvs = "0"; |
41 |
our $bin_cvs = "/usr/bin/cvs"; |
42 |
|
43 |
our $use_scp = "0"; |
44 |
our $bin_scp = "/usr/bin/scp"; |
45 |
our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)"; |
46 |
|
47 |
our $use_sftp = "0"; |
48 |
our $bin_sftp = "/usr/lib/sftp-server"; |
49 |
our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)"; |
50 |
|
51 |
our $use_rsync = "0"; |
52 |
our $bin_rsync = "/usr/bin/rsync"; |
53 |
our $regexp_rsync = "^rsync --server"; |
54 |
our $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; |
55 |
|
56 |
our $use_svn = "0"; |
57 |
our $bin_svn = "/usr/bin/svnserve"; |
58 |
our $regexp_svn = "^svnserve -t"; |
59 |
our @prepend_args_svn = ( '-r', '/svn' ); |
60 |
|
61 |
our $use_git = "0"; |
62 |
our $bin_git = "/usr/bin/git-shell"; |
63 |
|
64 |
our $use_pkgsubmit = "0"; |
65 |
our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm |^/usr/local/bin/submit_package "; |
66 |
our $bin_pkgsubmit = "/usr/local/bin/submit_package"; |
67 |
|
68 |
our $use_maintdb = "0"; |
69 |
our $regexp_maintdb = "^/usr/local/bin/wrapper.maintdb "; |
70 |
our $bin_maintdb = "/usr/local/bin/wrapper.maintdb"; |
71 |
|
72 |
our $use_upload_bin = "0"; |
73 |
our $regexp_upload_bin = "^/usr/local/bin/wrapper.upload-bin "; |
74 |
our $bin_upload_bin = "/usr/local/bin/wrapper.upload-bin"; |
75 |
|
76 |
# Open configuration file |
77 |
if (-e "/etc/membersh-conf.pl") { |
78 |
do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting"; |
79 |
} else { |
80 |
die "System misconfiguration, contact administrators. Exiting"; |
81 |
} |
82 |
|
83 |
# A configuration file /etc/membersh-conf.pl must exists and be executable. |
84 |
# Here come an example: |
85 |
# |
86 |
# $use_cvs = "1"; |
87 |
# $bin_cvs = "/usr/bin/cvs"; |
88 |
# |
89 |
# $use_scp = "1"; |
90 |
# $bin_scp = "/usr/bin/scp"; |
91 |
# $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)"; |
92 |
|
93 |
# $use_sftp = "1"; |
94 |
# $bin_sftp = "/usr/lib/sftp-server"; |
95 |
# $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)"; |
96 |
# |
97 |
# $use_rsync = "1"; |
98 |
# $bin_rsync = "/usr/bin/rsync"; |
99 |
# $regexp_rsync = "^rsync --server"; |
100 |
# $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; |
101 |
# |
102 |
# $use_pkgsubmit = "1"; |
103 |
# |
104 |
# $use_maintdb = "1"; |
105 |
# |
106 |
# $use_upload_bin = "1"; |
107 |
|
108 |
|
109 |
if ($#ARGV == 1 and $ARGV[0] eq "-c") { |
110 |
if ($use_cvs and $ARGV[1] eq 'cvs server') { |
111 |
|
112 |
# Run a cvs server command |
113 |
exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!"); |
114 |
|
115 |
} elsif ($use_scp and |
116 |
$ARGV[1] =~ m:$regexp_scp:) { |
117 |
|
118 |
# Authorize scp command |
119 |
my (@args) = split(' ', $ARGV[1]); |
120 |
shift(@args); |
121 |
exec($bin_scp, @args); |
122 |
|
123 |
} elsif ($use_sftp and |
124 |
$ARGV[1] =~ m:$regexp_sftp:) { |
125 |
|
126 |
# Authorize sftp login |
127 |
exec($bin_sftp) or die("Failed to exec $bin_sftp: $!"); |
128 |
|
129 |
} elsif ($use_rsync and |
130 |
$ARGV[1] =~ m:$regexp_rsync:) { |
131 |
|
132 |
my ($rsync, @rest) = split(' ', $ARGV[1]); |
133 |
my ($dir) = $rest[$#rest]; |
134 |
|
135 |
# Authorize rsync command, if the directory is acceptable |
136 |
if ($dir =~ m:$regexp_dir_rsync:) { |
137 |
exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!"); |
138 |
} |
139 |
|
140 |
} elsif ($use_svn and |
141 |
$ARGV[1] =~ m:$regexp_svn:) { |
142 |
|
143 |
# authorize svnserve in tunnel mode, with the svn root prepended |
144 |
my (@args) = @prepend_args_svn; |
145 |
my (@args_user) = split(' ', $ARGV[1]); |
146 |
shift( @args_user ); |
147 |
push( @args, @args_user ); |
148 |
exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!"); |
149 |
|
150 |
} elsif ($use_git and $ARGV[1] =~ m:^git-.+:) { |
151 |
|
152 |
# Delegate filtering to git-shell |
153 |
exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!"); |
154 |
} elsif ($use_pkgsubmit and |
155 |
$ARGV[1] =~ m:$regexp_pkgsubmit:) { |
156 |
|
157 |
my ($createsrpm, @rest) = split(' ', $ARGV[1]); |
158 |
|
159 |
exec($bin_pkgsubmit, @rest) or die("Failed to exec $bin_pkgsubmit: $!"); |
160 |
} elsif ($use_maintdb and |
161 |
$ARGV[1] =~ m:$regexp_maintdb:) { |
162 |
my ($maintdb, @rest) = split(' ', $ARGV[1]); |
163 |
exec($bin_maintdb, @rest) or die("Failed to exec $bin_maintdb: $!"); |
164 |
} elsif ($use_upload_bin and |
165 |
$ARGV[1] =~ m:$regexp_upload_bin:) { |
166 |
my ($upload_bin, @rest) = split(' ', $ARGV[1]); |
167 |
exec($bin_upload_bin, @rest) or die("Failed to exec $bin_upload_bin: $!"); |
168 |
} |
169 |
} |
170 |
|
171 |
unless (-e "/etc/membersh-errormsg") { |
172 |
if ($ARGV) { |
173 |
print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; |
174 |
} else { |
175 |
print STDERR "You tried to run a interactive shell.\n" |
176 |
} |
177 |
print STDERR "Sorry, you are not allowed to execute that command.\n"; |
178 |
print STDERR "You are member of the following groups :\n"; |
179 |
print STDERR qx(groups); |
180 |
} else { |
181 |
open(ERRORMSG, "< /etc/membersh-errormsg"); |
182 |
while (<ERRORMSG>) { |
183 |
print STDERR $_; |
184 |
} |
185 |
close(ERRORMSG); |
186 |
} |
187 |
exit(1); |