#!/usr/bin/python3
+import logging, logging.handlers
+import os, sys, shlex, pwd
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Configuration
shell = None # set to "/bin/bash" or similar to allow shell access
+rrsync = "/usr/local/bin/schsh-rrsync" # path to the restricted rsync script - if available, it will be used to further restrict rsync access
def allowSCP(run, runstr):
if len(run) != 3: return False
if len(run) < 3: return False
if run[0] != "rsync": return False
if run[1] != "--server": return False
- run[0] = "/usr/bin/rsync"
+ if rrsync is None:
+ # rrsync is not available, let's hope this is enough protection
+ run[0] = "/usr/bin/rsync"
+ return True
+ run[:] = [rrsync, "/", runstr] # allow access to the entire chroot
return True
def allowSFTP(run, runstr):
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# DO NOT TOUCH ANYTHING BELOW THIS LINE
-import logging, logging.handlers
-import os, sys, shlex, pwd
logger = logging.getLogger("schsh")
logger.setLevel(logging.INFO)
# check if the command is allowed, and add path
run = shlex.split(sys.argv[2])
if commandAllowed(run, sys.argv[2]): # this may change run, but that's okay
- log("Running '"+str(run)+"'")
+ log("Running "+str(run))
else:
print("You are not allowed to run this command.")
logquit("Attempt to run invalid command '"+sys.argv[2]+"'")