1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
|
#!/bin/bash
set -eu
# Copyright (C) 2015, Benjamin Drung <benjamin.drung@profitbricks.com>
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# Note: Matching the regular expressions requires bash
log() {
msg="$1"
echo "${0##*/}: $msg" >&2
logger -t ${0##*/} -- "$msg"
}
config="${1-}"
if test -z "$config"; then
if test -n "${USER-}"; then
config="$USER"
else
config=$(id -u -n)
fi
fi
config_file="/etc/restricted-ssh-commands/$config"
if test ! -f "$config_file"; then
log "No configuration in $config_file. All commands including \"${SSH_ORIGINAL_COMMAND-}\" are denied."
exit 125
fi
num_rules=0
while IFS='' read -r line; do
# Skip empty lines and lines starting with hashes
if ! [[ "$line" =~ ^[[:space:]]*(#|$) ]]; then
if [[ "${SSH_ORIGINAL_COMMAND-}" =~ $line ]]; then
if test -n "${RSC_VERBOSE-}"; then
log "${0##*/}: \"${SSH_ORIGINAL_COMMAND-}\" matches \"$line\""
fi
found=1
break
else
((num_rules+=1))
if test -n "${RSC_VERBOSE-}"; then
log "${0##*/}: Regular expression does not match: \"$line\""
fi
fi
elif test -n "${RSC_VERBOSE-}"; then
log "${0##*/}: Skipping commented/empty configuration line: \"$line\""
fi
done < "$config_file"
if test -z "${found-}"; then
if test "$num_rules" -eq 0; then
log "Empty configuration in $config_file. All commands including \"${SSH_ORIGINAL_COMMAND-}\" are denied."
exit 125
else
if test "$num_rules" -eq 1; then
msg="the one allow rule"
else
msg="any of the $num_rules allow rules"
fi
log "Rejecting command \"${SSH_ORIGINAL_COMMAND-}\". It does not match $msg in $config_file."
exit 124
fi
fi
exec ${SHELL:-/bin/sh} -c "${SSH_ORIGINAL_COMMAND-}"
|