From: Ralf Jung Date: Sat, 22 Feb 2014 10:05:46 +0000 (+0100) Subject: switch to Python 3; allow command verifiers to change the command X-Git-Url: https://git.ralfj.de/schsh.git/commitdiff_plain/5271c7e79fc1c1250a9c9d20f461638b8cb1f44a?ds=sidebyside switch to Python 3; allow command verifiers to change the command --- diff --git a/makeschsh b/makeschsh index dc31830..5476687 100755 --- a/makeschsh +++ b/makeschsh @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/python3 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# # Configuration schsh = "/usr/local/bin/schsh" @@ -12,7 +12,7 @@ chroots = "/var/lib/schsh" import os, sys, subprocess, pwd, grp if os.getuid() != 0: - print "Run this a root, please." + print("Run this a root, please.") sys.exit(1) @@ -24,22 +24,22 @@ def setup(name): # schroot configuration with open("/etc/schroot/chroot.d/schsh-"+name, "w") as f: - print >>f, """[schsh-{0}] + print("""[schsh-{0}] type=directory directory={1} users={0} profile=schsh setup.fstab=schsh/{0}.fstab -""".format(name, chroot) +""".format(name, chroot), file=f) with open("/etc/schroot/schsh/"+name+".fstab", "w") as f: # no spaces, schroot does not like them - print >>f, "# " + print("# ", file=f) # system folders - for folder in ("/bin", "/lib", "/lib64", "/usr/bin", "/usr/lib", "/usr/lib64"): + for folder in ("/lib", "/lib64", "/usr/bin", "/usr/lib", "/usr/lib64"): if os.path.exists(folder): - print >>f, "{0}\t{0}\tnone\trw,bind\t0\t0".format(folder) + print("{0}\t{0}\tnone\trw,bind\t0\t0".format(folder), file=f) # user folder - print >>f, "/home/{0}/data\t/data\tnone\trw,bind\t0\t0".format(name) + print("/home/{0}/data\t/data\tnone\trw,bind\t0\t0".format(name), file=f) # setup the schroot directory os.mkdir(chroot) @@ -48,16 +48,16 @@ setup.fstab=schsh/{0}.fstab # setup /etc/passwd and /etc/group with open(os.path.join(chroot, "etc", "passwd"), "w") as f: - print >>f, "root:x:0:0:root:/root:/bin/bash" - print >>f, "{0}:x:{1}:{2}:,,,:/data:/bin/false".format(name, userpw.pw_uid, userpw.pw_gid) + print("root:x:0:0:root:/root:/bin/bash", file=f) + print("{0}:x:{1}:{2}:,,,:/data:/bin/false".format(name, userpw.pw_uid, userpw.pw_gid), file=f) with open(os.path.join(chroot, "etc", "group"), "w") as f: - print >>f, "root:x:0:" + print("root:x:0:", file=f) usergrp = grp.getgrgid(userpw.pw_gid) - print >>f, "{0}:x:{1}:".format(usergrp.gr_name, usergrp.gr_gid) + print("{0}:x:{1}:".format(usergrp.gr_name, usergrp.gr_gid), file=f) if group: groupgrp = grp.getgrnam(group) assert usergrp.gr_gid != groupgrp.gr_gid - print >>f, "{0}:x:{1}:{2}".format(groupgrp.gr_name, groupgrp.gr_gid, name) + print("{0}:x:{1}:{2}".format(groupgrp.gr_name, groupgrp.gr_gid, name), file=f) # user configuration if userpw.pw_shell != schsh: @@ -68,8 +68,8 @@ setup.fstab=schsh/{0}.fstab # done! if len(sys.argv) <= 1: - print "Usage: %s " % sys.argv[0] + print("Usage: %s " % sys.argv[0]) else: for name in sys.argv[1:]: - print "Setting up",name + print("Setting up",name) setup(name) diff --git a/schsh b/schsh index f079112..f96e695 100755 --- a/schsh +++ b/schsh @@ -1,27 +1,27 @@ -#!/usr/bin/python +#!/usr/bin/python3 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# # Configuration shell = None # set to "/bin/bash" or similar to allow shell access -def allowSCP(run): +def allowSCP(run, runstr): if len(run) != 3: return False if run[0] != "scp": return False if run[1] not in ("-f", "-t"): return False if run[2].startswith('-'): return False + run[0] = "/usr/bin/scp" return True -def allowRSync(run): +def allowRSync(run, runstr): if len(run) < 3: return False if run[0] != "rsync": return False if run[1] != "--server": return False + run[0] = "/usr/bin/rsync" return True -def allowSFTP(run): - if len(run) != 1: return False - return run[0] == "/usr/lib/openssh/sftp-server" +def allowSFTP(run, runstr): + return runstr == "/usr/lib/openssh/sftp-server" allowCommands = [allowSCP, allowRSync, allowSFTP] -commandPaths = ["/usr/bin", "/bin"] # END of Configuration #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~# @@ -45,38 +45,27 @@ def logquit(msg): log(msg, logging.ERROR) sys.exit(1) -def commandAllowed(run): +def commandAllowed(run, runstr): for allowed in allowCommands: - if allowed(run): + if allowed(run, runstr): return True return False -def addPath(prog): - if prog.startswith("/"): - return prog - # look for it in the paths - for path in commandPaths: - fullprog = os.path.join(path, prog) - if os.path.exists(fullprog): - return fullprog - return None - # parse arguments run = [] if len(sys.argv) == 1: if shell is None: - print "No shell for you!" + print("No shell for you!") logquit("Shell access not allowed") else: run = [shell] elif len(sys.argv) == 3 and sys.argv[1] == "-c": # check if the command is allowed, and add path run = shlex.split(sys.argv[2]) - if commandAllowed(run): - run[0] = addPath(run[0]) + if commandAllowed(run, sys.argv[2]): # this may change run, but that's okay log("Running '"+str(run)+"'") else: - print "You are not allowed to run this command." + print("You are not allowed to run this command.") logquit("Attempt to run invalid command '"+sys.argv[2]+"'") else: logquit("Invalid arguments for schsh: "+str(sys.argv)) diff --git a/schsh-rrsync b/schsh-rrsync new file mode 100755 index 0000000..bb51629 --- /dev/null +++ b/schsh-rrsync @@ -0,0 +1,218 @@ +#!/usr/bin/perl +# Name: /usr/local/bin/rrsync (should also have a symlink in /usr/bin) +# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys +# Author: Joe Smith 30-Sep-2004 +# Modified by: Wayne Davison +use strict; + +use Socket; +use Cwd 'abs_path'; +use File::Glob ':glob'; + +# You may configure these values to your liking. See also the section +# of options if you want to disable any options that rsync accepts. +use constant RSYNC => '/usr/bin/rsync'; +use constant LOGFILE => 'rrsync.log'; + +my $Usage = < 0, + 'backup-dir' => 2, + 'bwlimit' => 1, + 'checksum-seed' => 1, + 'compare-dest' => 2, + 'compress-level' => 1, + 'copy-dest' => 2, + 'copy-unsafe-links' => 0, + 'daemon' => -1, + 'delay-updates' => 0, + 'delete' => 0, + 'delete-after' => 0, + 'delete-before' => 0, + 'delete-delay' => 0, + 'delete-during' => 0, + 'delete-excluded' => 0, + 'delete-missing-args' => 0, + 'existing' => 0, + 'fake-super' => 0, + 'files-from' => 3, + 'force' => 0, + 'from0' => 0, + 'fuzzy' => 0, + 'groupmap' => 1, + 'iconv' => 1, + 'ignore-errors' => 0, + 'ignore-existing' => 0, + 'ignore-missing-args' => 0, + 'inplace' => 0, + 'link-dest' => 2, + 'list-only' => 0, + 'log-file' => 3, + 'log-format' => 1, + 'max-delete' => 1, + 'max-size' => 1, + 'min-size' => 1, + 'modify-window' => 1, + 'no-implied-dirs' => 0, + 'no-r' => 0, + 'no-relative' => 0, + 'no-specials' => 0, + 'numeric-ids' => 0, + 'only-write-batch' => 1, + 'partial' => 0, + 'partial-dir' => 2, + 'remove-sent-files' => $ro ? -1 : 0, + 'remove-source-files' => $ro ? -1 : 0, + 'safe-links' => 0, + 'sender' => 0, + 'server' => 0, + 'size-only' => 0, + 'skip-compress' => 1, + 'specials' => 0, + 'stats' => 0, + 'suffix' => 1, + 'super' => 0, + 'temp-dir' => 2, + 'timeout' => 1, + 'use-qsort' => 0, + 'usermap' => 1, +); + +### END of options data produced by the cull_options script. ### + +if ($short_disabled ne '') { + $short_no_arg =~ s/[$short_disabled]//go; + $short_with_num =~ s/[$short_disabled]//go; +} +$short_no_arg = "[$short_no_arg]" if length($short_no_arg) > 1; +$short_with_num = "[$short_with_num]" if length($short_with_num) > 1; + +my $write_log = -f LOGFILE && open(LOG, '>>', LOGFILE); + +chdir($subdir) or die "$0: Unable to chdir to restricted dir: $!\n"; + +my(@opts, @args); +my $in_options = 1; +my $last_opt = ''; +my $check_type; +while ($command =~ /((?:[^\s\\]+|\\.[^\s\\]*)+)/g) { + $_ = $1; + if ($check_type) { + push(@opts, check_arg($last_opt, $_, $check_type)); + $check_type = 0; + } elsif ($in_options) { + push(@opts, $_); + if ($_ eq '.') { + $in_options = 0; + } else { + die "$0: invalid option: '-'\n" if $_ eq '-'; + next if /^-$short_no_arg*(e\d*\.\w*)?$/o || /^-$short_with_num\d+$/o; + + my($opt,$arg) = /^--([^=]+)(?:=(.*))?$/; + my $disabled; + if (defined $opt) { + my $ct = $long_opt{$opt}; + last unless defined $ct; + next if $ct == 0; + if ($ct > 0) { + if (!defined $arg) { + $check_type = $ct; + $last_opt = $opt; + next; + } + $arg = check_arg($opt, $arg, $ct); + $opts[-1] =~ s/=.*/=$arg/; + next; + } + $disabled = 1; + $opt = "--$opt"; + } elsif ($short_disabled ne '') { + $disabled = /^-$short_no_arg*([$short_disabled])/o; + $opt = "-$1"; + } + + last unless $disabled; # Generate generic failure + die "$0: option $opt has been disabled on this server.\n"; + } + } else { + if ($subdir ne '/') { + # Validate args to ensure they don't try to leave our restricted dir. + s{//+}{/}g; + s{^/}{}; + s{^$}{.}; + die "$0: do not use .. in any path!\n" if m{(^|/)\\?\.\\?\.(\\?/|$)}; + } + push(@args, bsd_glob($_, GLOB_LIMIT|GLOB_NOCHECK|GLOB_BRACE|GLOB_QUOTE)); + } +} +die "$0: invalid rsync-command syntax or options\n" if $in_options; + +@args = ( '.' ) if !@args; + +if ($write_log) { + my ($mm,$hh) = (localtime)[1,2]; + my $host = $ENV{SSH_CONNECTION} || 'unknown'; + $host =~ s/ .*//; # Keep only the client's IP addr + $host =~ s/^::ffff://; + $host = gethostbyaddr(inet_aton($host),AF_INET) || $host; + printf LOG "%02d:%02d %-13s [%s]\n", $hh, $mm, $host, "@opts @args"; + close LOG; +} + +# Note: This assumes that the rsync protocol will not be maliciously hijacked. +exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!"; + +sub check_arg +{ + my($opt, $arg, $type) = @_; + $arg =~ s/\\(.)/$1/g; + if ($subdir ne '/' && ($type == 3 || ($type == 2 && !$am_sender))) { + $arg =~ s{//}{/}g; + die "Do not use .. in --$opt; anchor the path at the root of your restricted dir.\n" + if $arg =~ m{(^|/)\.\.(/|$)}; + $arg =~ s{^/}{$subdir/}; + } + $arg; +}