File: restricted-ssh-commands

package info (click to toggle)
restricted-ssh-commands 0.4-1
  • links: PTS
  • area: main
  • in suites: bookworm, bullseye, buster, sid, trixie
  • size: 88 kB
  • ctags: 20
  • sloc: sh: 125; makefile: 24
file content (84 lines) | stat: -rwxr-xr-x 2,920 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
#!/bin/bash
set -eu

# Copyright (C) 2015, Benjamin Drung <benjamin.drung@profitbricks.com>
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

# Note: Matching the regular expressions requires bash

log() {
    msg="$1"
    echo "${0##*/}: $msg" >&2
    logger -t ${0##*/} -- "$msg"
}

config="${1-}"
if test -z "$config"; then
    if test -n "${USER-}"; then
        config="$USER"
    else
        config=$(id -u -n)
    fi
fi

config_file="/etc/restricted-ssh-commands/$config"
if test ! -f "$config_file"; then
    log "No configuration in $config_file. All commands including \"${SSH_ORIGINAL_COMMAND-}\" are denied."
    exit 125
fi

num_rules=0
while IFS='' read -r line; do
    # Skip empty lines and lines starting with hashes
    if ! [[ "$line" =~ ^[[:space:]]*(#|$) ]]; then
        if [[ "${SSH_ORIGINAL_COMMAND-}" =~ $line ]]; then
            if test -n "${RSC_VERBOSE-}"; then
                log "${0##*/}: \"${SSH_ORIGINAL_COMMAND-}\" matches \"$line\""
            fi
            found=1
            break
        else
            ((num_rules+=1))
            if test -n "${RSC_VERBOSE-}"; then
                log "${0##*/}: Regular expression does not match: \"$line\""
            fi
        fi
    elif test -n "${RSC_VERBOSE-}"; then
        log "${0##*/}: Skipping commented/empty configuration line: \"$line\""
    fi
done < "$config_file"

if test -z "${found-}"; then
    if test "$num_rules" -eq 0; then
        log "Empty configuration in $config_file. All commands including \"${SSH_ORIGINAL_COMMAND-}\" are denied."
        exit 125
    else
        if test "$num_rules" -eq 1; then
            msg="the one allow rule"
        else
            msg="any of the $num_rules allow rules"
        fi
        log "Rejecting command \"${SSH_ORIGINAL_COMMAND-}\". It does not match $msg in $config_file."
        exit 124
    fi
fi

exec ${SHELL:-/bin/sh} -c "${SSH_ORIGINAL_COMMAND-}"