projects
/
schsh.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
more clearly state where I got the rrsync from
[schsh.git]
/
schsh
diff --git
a/schsh
b/schsh
index f96e69564275e9c47115217f9dc3fbd01cff438f..28d317d68b377921979b35ad28d275e85849f6cc 100755
(executable)
--- a/
schsh
+++ b/
schsh
@@
-1,7
+1,10
@@
#!/usr/bin/python3
#!/usr/bin/python3
+import logging, logging.handlers
+import os, sys, shlex, pwd
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Configuration
shell = None # set to "/bin/bash" or similar to allow shell access
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Configuration
shell = None # set to "/bin/bash" or similar to allow shell access
+rrsync = "/usr/local/bin/schsh-rrsync" # path to the restricted rsync script - if available, it will be used to further restrict rsync access
def allowSCP(run, runstr):
if len(run) != 3: return False
def allowSCP(run, runstr):
if len(run) != 3: return False
@@
-15,7
+18,11
@@
def allowRSync(run, runstr):
if len(run) < 3: return False
if run[0] != "rsync": return False
if run[1] != "--server": return False
if len(run) < 3: return False
if run[0] != "rsync": return False
if run[1] != "--server": return False
- run[0] = "/usr/bin/rsync"
+ if rrsync is None:
+ # rrsync is not available, let's hope this is enough protection
+ run[0] = "/usr/bin/rsync"
+ return True
+ run[:] = [rrsync, "/", runstr] # allow access to the entire chroot
return True
def allowSFTP(run, runstr):
return True
def allowSFTP(run, runstr):
@@
-27,8
+34,6
@@
allowCommands = [allowSCP, allowRSync, allowSFTP]
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# DO NOT TOUCH ANYTHING BELOW THIS LINE
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# DO NOT TOUCH ANYTHING BELOW THIS LINE
-import logging, logging.handlers
-import os, sys, shlex, pwd
logger = logging.getLogger("schsh")
logger.setLevel(logging.INFO)
logger = logging.getLogger("schsh")
logger.setLevel(logging.INFO)
@@
-63,7
+68,7
@@
elif len(sys.argv) == 3 and sys.argv[1] == "-c":
# check if the command is allowed, and add path
run = shlex.split(sys.argv[2])
if commandAllowed(run, sys.argv[2]): # this may change run, but that's okay
# check if the command is allowed, and add path
run = shlex.split(sys.argv[2])
if commandAllowed(run, sys.argv[2]): # this may change run, but that's okay
- log("Running
'"+str(run)+"'"
)
+ log("Running
"+str(run)
)
else:
print("You are not allowed to run this command.")
logquit("Attempt to run invalid command '"+sys.argv[2]+"'")
else:
print("You are not allowed to run this command.")
logquit("Attempt to run invalid command '"+sys.argv[2]+"'")