#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#
# Configuration
shell = None # set to "/bin/bash" or similar to allow shell access
-allowCommands = ["scp", "rsync", "/usr/lib/openssh/sftp-server"]
+
+def allowSCP(run):
+ if len(run) != 3: return False
+ if run[0] != "scp": return False
+ if run[1] not in ("-f", "-t"): return False
+ return True
+
+def allowRSync(run):
+ if len(run) < 3: return False
+ if run[0] != "rsync": return False
+ if run[1] != "--server": return False
+ return True
+
+def allowSFTP(run):
+ if len(run) != 1: return False
+ return run[0] == "/usr/lib/openssh/sftp-server"
+
+allowCommands = [allowSCP, allowRSync, allowSFTP]
commandPaths = ["/usr/bin", "/bin"]
# END of Configuration
log(msg, logging.ERROR)
sys.exit(1)
+def commandAllowed(run):
+ for allowed in allowCommands:
+ if allowed(run):
+ return True
+ return False
+
def addPath(prog):
if prog.startswith("/"):
return prog
elif len(sys.argv) == 3 and sys.argv[1] == "-c":
# check if the command is allowed, and add path
run = shlex.split(sys.argv[2])
- if len(run) > 0 and run[0] in allowCommands:
+ if commandAllowed(run):
run[0] = addPath(run[0])
log("Running '"+str(run)+"'")
else:
logquit("Invalid arguments for schsh: "+str(sys.argv))
assert len(run) > 0
-os.execl("/usr/bin/schroot", "/usr/bin/schroot", "-c", "user-"+get_username(), "-d", "/data", "--", *run)
+os.execl("/usr/bin/schroot", "/usr/bin/schroot", "-c", "schsh-"+get_username(), "-d", "/data", "--", *run)