Linux
/
obackup
mirror of https://github.com/deajan/obackup.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Updated ssh filter from osync project

This commit is contained in:
deajan 2017-02-09 12:28:30 +01:00
parent 0a2df4efe9
commit ddd8e9eef3
1 changed files with 27 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
ssh_filter.sh
View File

@ -5,102 +5,49 @@
##### It will filter the commands that can be run remotely via ssh.
##### Please chmod 755 and chown root:root this file
##### Obackup needed commands: rsync find du mysql mysqldump (sudo)
##### Osync needed commands: rsync find du echo mkdir rm if df (sudo)
SCRIPT_BUILD=2016031401
##### Any command that has env _REMOTE_TOKEN= with the corresponding token in it will be run
##### Any other command will return a "syntax error"
##### For details, see ssh_filter.log
## If enabled, execution of "sudo" command will be allowed.
SCRIPT_BUILD=2017020802
## Allow sudo
SUDO_EXEC=yes
## Paranoia option. Don't change this unless you read the documentation and still feel concerned about security issues.
RSYNC_EXECUTABLE=rsync
## Enable other commands, useful for remote execution hooks like remotely creating snapshots.
CMD1=""
CMD2=""
CMD3=""
LOG_FILE=~/.ssh/ssh_filter.log
## Log all valid commands too
_DEBUG=no
## Set remote token in authorized_keys
if [ "$1" != "" ]; then
_REMOTE_TOKEN="${1}"
fi
LOG_FILE="${HOME}/.ssh/ssh_filter.log"
function Log {
DATE=$(date)
echo "$DATE - $1" >> $LOG_FILE
echo "$DATE - $1" >> "$LOG_FILE"
}
function Go {
if [ "$_DEBUG" == "yes" ]; then
Log "Executing [$SSH_ORIGINAL_COMMAND]."
fi
eval "$SSH_ORIGINAL_COMMAND"
}
case ${SSH_ORIGINAL_COMMAND%% *} in
"$RSYNC_EXECUTABLE")
Go ;;
"echo")
Go ;;
"find")
Go ;;
"du")
Go ;;
"mkdir")
Go ;;
"rm")
Go ;;
"df")
Go ;;
"mv")
Go ;;
"$CMD1")
if [ "$CMD1" != "" ]; then
Go
fi
;;
"$CMD2")
if [ "$CMD2" != "" ]; then
Go
fi
;;
"$CMD3")
if [ "$CMD3" != "" ]; then
Go
fi
;;
"sudo")
if [ "$SUDO_EXEC" == "yes" ]; then
if [[ "$SSH_ORIGINAL_COMMAND" == "sudo $RSYNC_EXECUTABLE"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo du"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo find"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mkdir"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo rm"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo echo"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo df"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mv"* ]]; then
Go
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD1"* ]]; then
if [ "$CMD1" != "" ]; then
Go
fi
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD2"* ]]; then
if [ "$CMD2" != "" ]; then
Go
fi
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD3"* ]]; then
if [ "$CMD3" != "" ]; then
Go
fi
else
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
case "${SSH_ORIGINAL_COMMAND}" in
*"env _REMOTE_TOKEN=$_REMOTE_TOKEN"*)
if [ "$SUDO_EXEC" != "yes" ] && [[ $SSH_ORIGINAL_COMMAND == *"sudo "* ]]; then
Log "Command [$SSH_ORIGINAL_COMMAND] contains sudo which is not allowed."
echo "Syntax error unexpected end of file"
exit 1
fi
else
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed. sudo not enabled."
exit 1
fi
Go
;;
*)
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
echo "Syntax error near unexpected token"
exit 1
;;
esac