diff --git a/CHANGELOG.md b/CHANGELOG.md index 0eb06a6..e920d1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,7 +21,9 @@ UNDER WORK CHANGELOG --------- - +- Backported some fixes from Osync + - Small improvments on install script + - Copy ssh_filter.sh from osync project - Quick and dirty hack to get the full last run log in SendAlert email - Added detection of obackup.sh script in obackup-batch.sh to overcome mising path in crontab - Moved command line arguments after config file load for allowing command line overrides diff --git a/install.sh b/install.sh index eb316c9..a88d7fe 100755 --- a/install.sh +++ b/install.sh @@ -1,14 +1,25 @@ #!/usr/bin/env bash -SCRIPT_BUILD=2404201501 +SCRIPT_BUILD=2015082501 ## Obackup install script ## Tested on RHEL / CentOS 6 & 7 ## Please adapt this to fit your distro needs +if [ "$(whoami)" != "root" ] +then + echo "Must be run as root." + exit 1 +fi + mkdir /etc/obackup cp ./host_backup.conf /etc/obackup/host_backup.conf.example cp ./exclude.list.example /etc/obackup cp ./obackup.sh /usr/local/bin cp ./obackup-batch.sh /usr/local/bin +cp ./ssh_filter.sh /usr/local/bin +chmod 755 /usr/local/bin/obackup.sh +chmod 755 /usr/local/bin/obackup-batch.sh +chmod 755 /usr/local/bin/ssh_filter.sh +chown root:root /usr/local/bin/ssh_filter.sh diff --git a/ssh_filter.sh b/ssh_filter.sh index a2fe09a..6fc092c 100755 --- a/ssh_filter.sh +++ b/ssh_filter.sh @@ -1,10 +1,13 @@ #!/bin/bash -##### Obackup / Osync ssh command filter build 2306201301 -##### This script should be located in /usr/local/bin in the remote system that will be backed up / synced +##### Osync ssh command filter build 2015070203 +##### This script should be located in /usr/local/bin in the remote system to sync / backup ##### It will filter the commands that can be run remotely via ssh. ##### Please chmod 755 and chown root:root this file +##### Obackup needed commands: rsync find du mysql mysqldump (sudo) +##### Osync needed commands: rsync find du echo mkdir rm if df (sudo) + ## If enabled, execution of "sudo" command will be allowed. SUDO_EXEC=yes ## Paranoia option. Don't change this unless you read the documentation and still feel concerned about security issues. @@ -30,22 +33,35 @@ function Go case ${SSH_ORIGINAL_COMMAND%% *} in "$RSYNC_EXECUTABLE") Go ;; - "mysqldump") - Go ;; - "mysql") - Go ;; "echo") Go ;; "find") Go ;; "du") Go ;; + "mkdir") + Go ;; + "rm") + Go ;; + "df") + Go ;; + "mv") + Go ;; "$CMD1") - Go ;; + if [ "$CMD1" != "" ] + then + Go ;; + fi "$CMD2") - Go ;; + if [ "$CMD2" != "" ] + then + Go ;; + fi "$CMD3") - Go ;; + if [ "$CMD3" != "" ] + then + Go ;; + fi "sudo") if [ "$SUDO_EXEC" == "yes" ] then @@ -58,22 +74,49 @@ case ${SSH_ORIGINAL_COMMAND%% *} in elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo find"* ]] then Go + elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mkdir"* ]] + then + Go + elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo rm"* ]] + then + Go + elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo echo"* ]] + then + Go + elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo df"* ]] + then + Go + elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mv"* ]] + then + Go elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD1"* ]] then + if [ "$CMD1" != "" ] + then Go + fi elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD2"* ]] then + if [ "$CMD2" != "" ] + then Go + fi elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD3"* ]] then + if [ "$CMD3" != "" ] + then Go + fi else Log "Command [$SSH_ORIGINAL_COMMAND] not allowed." + exit 1 fi else Log "Command [$SSH_ORIGINAL_COMMAND] not allowed. sudo not enabled." + exit 1 fi ;; *) Log "Command [$SSH_ORIGINAL_COMMAND] not allowed." + exit 1 esac