mirror of
https://github.com/deajan/obackup.git
synced 2024-12-04 04:33:41 +01:00
Updated ssh filter from osync project
This commit is contained in:
parent
0a2df4efe9
commit
ddd8e9eef3
107
ssh_filter.sh
107
ssh_filter.sh
@ -5,102 +5,49 @@
|
||||
##### It will filter the commands that can be run remotely via ssh.
|
||||
##### Please chmod 755 and chown root:root this file
|
||||
|
||||
##### Obackup needed commands: rsync find du mysql mysqldump (sudo)
|
||||
##### Osync needed commands: rsync find du echo mkdir rm if df (sudo)
|
||||
SCRIPT_BUILD=2016031401
|
||||
##### Any command that has env _REMOTE_TOKEN= with the corresponding token in it will be run
|
||||
##### Any other command will return a "syntax error"
|
||||
##### For details, see ssh_filter.log
|
||||
|
||||
## If enabled, execution of "sudo" command will be allowed.
|
||||
SCRIPT_BUILD=2017020802
|
||||
|
||||
## Allow sudo
|
||||
SUDO_EXEC=yes
|
||||
## Paranoia option. Don't change this unless you read the documentation and still feel concerned about security issues.
|
||||
RSYNC_EXECUTABLE=rsync
|
||||
## Enable other commands, useful for remote execution hooks like remotely creating snapshots.
|
||||
CMD1=""
|
||||
CMD2=""
|
||||
CMD3=""
|
||||
|
||||
LOG_FILE=~/.ssh/ssh_filter.log
|
||||
## Log all valid commands too
|
||||
_DEBUG=no
|
||||
|
||||
## Set remote token in authorized_keys
|
||||
if [ "$1" != "" ]; then
|
||||
_REMOTE_TOKEN="${1}"
|
||||
fi
|
||||
|
||||
LOG_FILE="${HOME}/.ssh/ssh_filter.log"
|
||||
|
||||
function Log {
|
||||
DATE=$(date)
|
||||
echo "$DATE - $1" >> $LOG_FILE
|
||||
echo "$DATE - $1" >> "$LOG_FILE"
|
||||
}
|
||||
|
||||
function Go {
|
||||
if [ "$_DEBUG" == "yes" ]; then
|
||||
Log "Executing [$SSH_ORIGINAL_COMMAND]."
|
||||
fi
|
||||
eval "$SSH_ORIGINAL_COMMAND"
|
||||
}
|
||||
|
||||
case ${SSH_ORIGINAL_COMMAND%% *} in
|
||||
"$RSYNC_EXECUTABLE")
|
||||
Go ;;
|
||||
"echo")
|
||||
Go ;;
|
||||
"find")
|
||||
Go ;;
|
||||
"du")
|
||||
Go ;;
|
||||
"mkdir")
|
||||
Go ;;
|
||||
"rm")
|
||||
Go ;;
|
||||
"df")
|
||||
Go ;;
|
||||
"mv")
|
||||
Go ;;
|
||||
"$CMD1")
|
||||
if [ "$CMD1" != "" ]; then
|
||||
Go
|
||||
fi
|
||||
;;
|
||||
"$CMD2")
|
||||
if [ "$CMD2" != "" ]; then
|
||||
Go
|
||||
fi
|
||||
;;
|
||||
"$CMD3")
|
||||
if [ "$CMD3" != "" ]; then
|
||||
Go
|
||||
fi
|
||||
;;
|
||||
"sudo")
|
||||
if [ "$SUDO_EXEC" == "yes" ]; then
|
||||
if [[ "$SSH_ORIGINAL_COMMAND" == "sudo $RSYNC_EXECUTABLE"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo du"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo find"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mkdir"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo rm"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo echo"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo df"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mv"* ]]; then
|
||||
Go
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD1"* ]]; then
|
||||
if [ "$CMD1" != "" ]; then
|
||||
Go
|
||||
fi
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD2"* ]]; then
|
||||
if [ "$CMD2" != "" ]; then
|
||||
Go
|
||||
fi
|
||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD3"* ]]; then
|
||||
if [ "$CMD3" != "" ]; then
|
||||
Go
|
||||
fi
|
||||
else
|
||||
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
|
||||
case "${SSH_ORIGINAL_COMMAND}" in
|
||||
*"env _REMOTE_TOKEN=$_REMOTE_TOKEN"*)
|
||||
if [ "$SUDO_EXEC" != "yes" ] && [[ $SSH_ORIGINAL_COMMAND == *"sudo "* ]]; then
|
||||
Log "Command [$SSH_ORIGINAL_COMMAND] contains sudo which is not allowed."
|
||||
echo "Syntax error unexpected end of file"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed. sudo not enabled."
|
||||
exit 1
|
||||
fi
|
||||
Go
|
||||
;;
|
||||
*)
|
||||
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
|
||||
echo "Syntax error near unexpected token"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
Loading…
Reference in New Issue
Block a user