X-Git-Url: https://git.ralfj.de/schsh.git/blobdiff_plain/5271c7e79fc1c1250a9c9d20f461638b8cb1f44a..16a7ea380a71cd1efe0a91ba298add2fdf167e58:/schsh?ds=inline diff --git a/schsh b/schsh index f96e695..28d317d 100755 --- a/schsh +++ b/schsh @@ -1,7 +1,10 @@ #!/usr/bin/python3 +import logging, logging.handlers +import os, sys, shlex, pwd #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# # Configuration shell = None # set to "/bin/bash" or similar to allow shell access +rrsync = "/usr/local/bin/schsh-rrsync" # path to the restricted rsync script - if available, it will be used to further restrict rsync access def allowSCP(run, runstr): if len(run) != 3: return False @@ -15,7 +18,11 @@ def allowRSync(run, runstr): if len(run) < 3: return False if run[0] != "rsync": return False if run[1] != "--server": return False - run[0] = "/usr/bin/rsync" + if rrsync is None: + # rrsync is not available, let's hope this is enough protection + run[0] = "/usr/bin/rsync" + return True + run[:] = [rrsync, "/", runstr] # allow access to the entire chroot return True def allowSFTP(run, runstr): @@ -27,8 +34,6 @@ allowCommands = [allowSCP, allowRSync, allowSFTP] #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# # DO NOT TOUCH ANYTHING BELOW THIS LINE -import logging, logging.handlers -import os, sys, shlex, pwd logger = logging.getLogger("schsh") logger.setLevel(logging.INFO) @@ -63,7 +68,7 @@ elif len(sys.argv) == 3 and sys.argv[1] == "-c": # check if the command is allowed, and add path run = shlex.split(sys.argv[2]) if commandAllowed(run, sys.argv[2]): # this may change run, but that's okay - log("Running '"+str(run)+"'") + log("Running "+str(run)) else: print("You are not allowed to run this command.") logquit("Attempt to run invalid command '"+sys.argv[2]+"'")