From ddd8e9eef39e64b3b694b0940f74e62f949e6978 Mon Sep 17 00:00:00 2001
From: deajan <ozy@netpower.fr>
Date: Thu, 9 Feb 2017 12:28:30 +0100
Subject: [PATCH] Updated ssh filter from osync project

---
 ssh_filter.sh | 107 +++++++++++++-------------------------------------
 1 file changed, 27 insertions(+), 80 deletions(-)

diff --git a/ssh_filter.sh b/ssh_filter.sh
index 089790e..072b7dd 100755
--- a/ssh_filter.sh
+++ b/ssh_filter.sh
@@ -5,102 +5,49 @@
 ##### It will filter the commands that can be run remotely via ssh.
 ##### Please chmod 755 and chown root:root this file
 
-##### Obackup needed commands: rsync find du mysql mysqldump (sudo)
-##### Osync needed commands: rsync find du echo mkdir rm if df (sudo)
-SCRIPT_BUILD=2016031401
+##### Any command that has env _REMOTE_TOKEN= with the corresponding token in it will be run
+##### Any other command will return a "syntax error"
+##### For details, see ssh_filter.log
 
-## If enabled, execution of "sudo" command will be allowed.
+SCRIPT_BUILD=2017020802
+
+## Allow sudo
 SUDO_EXEC=yes
-## Paranoia option. Don't change this unless you read the documentation and still feel concerned about security issues.
-RSYNC_EXECUTABLE=rsync
-## Enable other commands, useful for remote execution hooks like remotely creating snapshots.
-CMD1=""
-CMD2=""
-CMD3=""
 
-LOG_FILE=~/.ssh/ssh_filter.log
+## Log all valid commands too
+_DEBUG=no
+
+## Set remote token in authorized_keys
+if [ "$1" != "" ]; then
+	_REMOTE_TOKEN="${1}"
+fi
+
+LOG_FILE="${HOME}/.ssh/ssh_filter.log"
 
 function Log {
 	DATE=$(date)
-	echo "$DATE - $1" >> $LOG_FILE
+	echo "$DATE - $1" >> "$LOG_FILE"
 }
 
 function Go {
+	if [ "$_DEBUG" == "yes" ]; then
+		Log "Executing [$SSH_ORIGINAL_COMMAND]."
+	fi
 	eval "$SSH_ORIGINAL_COMMAND"
 }
 
-case ${SSH_ORIGINAL_COMMAND%% *} in
-	"$RSYNC_EXECUTABLE")
-	Go ;;
-	"echo")
-	Go ;;
-	"find")
-	Go ;;
-	"du")
-	Go ;;
-	"mkdir")
-	Go ;;
-	"rm")
-	Go ;;
-	"df")
-	Go ;;
-	"mv")
-	Go ;;
-	"$CMD1")
-	if [ "$CMD1" != "" ]; then
-		Go
-	fi
-	;;
-	"$CMD2")
-	if [ "$CMD2" != "" ]; then
-		Go
-	fi
-	;;
-	"$CMD3")
-	if [ "$CMD3" != "" ]; then
-		Go
-	fi
-	;;
-	"sudo")
-	if [ "$SUDO_EXEC" == "yes" ]; then
-		if [[ "$SSH_ORIGINAL_COMMAND" == "sudo $RSYNC_EXECUTABLE"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo du"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo find"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mkdir"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo rm"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo echo"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo df"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mv"* ]]; then
-			Go
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD1"* ]]; then
-			if [ "$CMD1" != "" ]; then
-			Go
-			fi
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD2"* ]]; then
-			if [ "$CMD2" != "" ]; then
-			Go
-			fi
-		elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD3"* ]]; then
-			if [ "$CMD3" != "" ]; then
-			Go
-			fi
-		else
-			Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
+case "${SSH_ORIGINAL_COMMAND}" in
+	*"env _REMOTE_TOKEN=$_REMOTE_TOKEN"*)
+		if [ "$SUDO_EXEC" != "yes" ] && [[ $SSH_ORIGINAL_COMMAND == *"sudo "* ]]; then
+			Log "Command [$SSH_ORIGINAL_COMMAND] contains sudo which is not allowed."
+			echo "Syntax error unexpected end of file"
 			exit 1
 		fi
-	else
-		Log "Command [$SSH_ORIGINAL_COMMAND] not allowed. sudo not enabled."
-		exit 1
-	fi
+	Go
 	;;
 	*)
 	Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
+	echo "Syntax error near unexpected token"
 	exit 1
+	;;
 esac