mirror of
https://github.com/deajan/obackup.git
synced 2024-11-14 11:43:41 +01:00
Updated ssh filter from osync project
This commit is contained in:
parent
0a2df4efe9
commit
ddd8e9eef3
107
ssh_filter.sh
107
ssh_filter.sh
@ -5,102 +5,49 @@
|
|||||||
##### It will filter the commands that can be run remotely via ssh.
|
##### It will filter the commands that can be run remotely via ssh.
|
||||||
##### Please chmod 755 and chown root:root this file
|
##### Please chmod 755 and chown root:root this file
|
||||||
|
|
||||||
##### Obackup needed commands: rsync find du mysql mysqldump (sudo)
|
##### Any command that has env _REMOTE_TOKEN= with the corresponding token in it will be run
|
||||||
##### Osync needed commands: rsync find du echo mkdir rm if df (sudo)
|
##### Any other command will return a "syntax error"
|
||||||
SCRIPT_BUILD=2016031401
|
##### For details, see ssh_filter.log
|
||||||
|
|
||||||
## If enabled, execution of "sudo" command will be allowed.
|
SCRIPT_BUILD=2017020802
|
||||||
|
|
||||||
|
## Allow sudo
|
||||||
SUDO_EXEC=yes
|
SUDO_EXEC=yes
|
||||||
## Paranoia option. Don't change this unless you read the documentation and still feel concerned about security issues.
|
|
||||||
RSYNC_EXECUTABLE=rsync
|
|
||||||
## Enable other commands, useful for remote execution hooks like remotely creating snapshots.
|
|
||||||
CMD1=""
|
|
||||||
CMD2=""
|
|
||||||
CMD3=""
|
|
||||||
|
|
||||||
LOG_FILE=~/.ssh/ssh_filter.log
|
## Log all valid commands too
|
||||||
|
_DEBUG=no
|
||||||
|
|
||||||
|
## Set remote token in authorized_keys
|
||||||
|
if [ "$1" != "" ]; then
|
||||||
|
_REMOTE_TOKEN="${1}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
LOG_FILE="${HOME}/.ssh/ssh_filter.log"
|
||||||
|
|
||||||
function Log {
|
function Log {
|
||||||
DATE=$(date)
|
DATE=$(date)
|
||||||
echo "$DATE - $1" >> $LOG_FILE
|
echo "$DATE - $1" >> "$LOG_FILE"
|
||||||
}
|
}
|
||||||
|
|
||||||
function Go {
|
function Go {
|
||||||
|
if [ "$_DEBUG" == "yes" ]; then
|
||||||
|
Log "Executing [$SSH_ORIGINAL_COMMAND]."
|
||||||
|
fi
|
||||||
eval "$SSH_ORIGINAL_COMMAND"
|
eval "$SSH_ORIGINAL_COMMAND"
|
||||||
}
|
}
|
||||||
|
|
||||||
case ${SSH_ORIGINAL_COMMAND%% *} in
|
case "${SSH_ORIGINAL_COMMAND}" in
|
||||||
"$RSYNC_EXECUTABLE")
|
*"env _REMOTE_TOKEN=$_REMOTE_TOKEN"*)
|
||||||
Go ;;
|
if [ "$SUDO_EXEC" != "yes" ] && [[ $SSH_ORIGINAL_COMMAND == *"sudo "* ]]; then
|
||||||
"echo")
|
Log "Command [$SSH_ORIGINAL_COMMAND] contains sudo which is not allowed."
|
||||||
Go ;;
|
echo "Syntax error unexpected end of file"
|
||||||
"find")
|
|
||||||
Go ;;
|
|
||||||
"du")
|
|
||||||
Go ;;
|
|
||||||
"mkdir")
|
|
||||||
Go ;;
|
|
||||||
"rm")
|
|
||||||
Go ;;
|
|
||||||
"df")
|
|
||||||
Go ;;
|
|
||||||
"mv")
|
|
||||||
Go ;;
|
|
||||||
"$CMD1")
|
|
||||||
if [ "$CMD1" != "" ]; then
|
|
||||||
Go
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
"$CMD2")
|
|
||||||
if [ "$CMD2" != "" ]; then
|
|
||||||
Go
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
"$CMD3")
|
|
||||||
if [ "$CMD3" != "" ]; then
|
|
||||||
Go
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
"sudo")
|
|
||||||
if [ "$SUDO_EXEC" == "yes" ]; then
|
|
||||||
if [[ "$SSH_ORIGINAL_COMMAND" == "sudo $RSYNC_EXECUTABLE"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo du"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo find"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mkdir"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo rm"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo echo"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo df"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mv"* ]]; then
|
|
||||||
Go
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD1"* ]]; then
|
|
||||||
if [ "$CMD1" != "" ]; then
|
|
||||||
Go
|
|
||||||
fi
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD2"* ]]; then
|
|
||||||
if [ "$CMD2" != "" ]; then
|
|
||||||
Go
|
|
||||||
fi
|
|
||||||
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD3"* ]]; then
|
|
||||||
if [ "$CMD3" != "" ]; then
|
|
||||||
Go
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed. sudo not enabled."
|
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
Go
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
|
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
|
||||||
|
echo "Syntax error near unexpected token"
|
||||||
exit 1
|
exit 1
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
|
Loading…
Reference in New Issue
Block a user