diff options
Diffstat (limited to 'modules/restrictshell')
| -rw-r--r-- | modules/restrictshell/manifests/allow.pp | 7 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_git.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_maintdb.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_pkgsubmit.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_rsync.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_scp.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_sftp.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_svn.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_upload_bin.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/init.pp | 77 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/shell.pp | 14 | ||||
| -rwxr-xr-x | modules/restrictshell/templates/membersh-conf.pl | 4 | ||||
| -rw-r--r-- | modules/restrictshell/templates/sv_membersh.pl | 9 |
13 files changed, 53 insertions, 82 deletions
diff --git a/modules/restrictshell/manifests/allow.pp b/modules/restrictshell/manifests/allow.pp new file mode 100644 index 00000000..cb1fd9a2 --- /dev/null +++ b/modules/restrictshell/manifests/allow.pp @@ -0,0 +1,7 @@ +define restrictshell::allow { + include shell + file { "/etc/membersh-conf.d/allow_${name}.pl": + mode => '0755', + content => "\$use_${name} = 1;\n", + } +} diff --git a/modules/restrictshell/manifests/allow_git.pp b/modules/restrictshell/manifests/allow_git.pp new file mode 100644 index 00000000..ed12a577 --- /dev/null +++ b/modules/restrictshell/manifests/allow_git.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_git { + restrictshell::allow { 'git': } +} diff --git a/modules/restrictshell/manifests/allow_maintdb.pp b/modules/restrictshell/manifests/allow_maintdb.pp new file mode 100644 index 00000000..e5123cf1 --- /dev/null +++ b/modules/restrictshell/manifests/allow_maintdb.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_maintdb { + restrictshell::allow{ 'maintdb': } +} diff --git a/modules/restrictshell/manifests/allow_pkgsubmit.pp b/modules/restrictshell/manifests/allow_pkgsubmit.pp new file mode 100644 index 00000000..14c6357b --- /dev/null +++ b/modules/restrictshell/manifests/allow_pkgsubmit.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_pkgsubmit { + restrictshell::allow { 'pkgsubmit': } +} diff --git a/modules/restrictshell/manifests/allow_rsync.pp b/modules/restrictshell/manifests/allow_rsync.pp new file mode 100644 index 00000000..6049122a --- /dev/null +++ b/modules/restrictshell/manifests/allow_rsync.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_rsync { + restrictshell::allow { 'rsync': } +} diff --git a/modules/restrictshell/manifests/allow_scp.pp b/modules/restrictshell/manifests/allow_scp.pp new file mode 100644 index 00000000..3e6cb1fb --- /dev/null +++ b/modules/restrictshell/manifests/allow_scp.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_scp { + restrictshell::allow{ 'scp': } +} diff --git a/modules/restrictshell/manifests/allow_sftp.pp b/modules/restrictshell/manifests/allow_sftp.pp new file mode 100644 index 00000000..55c1f396 --- /dev/null +++ b/modules/restrictshell/manifests/allow_sftp.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_sftp { + restrictshell::allow { 'sftp': } +} diff --git a/modules/restrictshell/manifests/allow_svn.pp b/modules/restrictshell/manifests/allow_svn.pp new file mode 100644 index 00000000..99b2c9fa --- /dev/null +++ b/modules/restrictshell/manifests/allow_svn.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_svn { + restrictshell::allow{ 'svn': } +} diff --git a/modules/restrictshell/manifests/allow_upload_bin.pp b/modules/restrictshell/manifests/allow_upload_bin.pp new file mode 100644 index 00000000..b55c41b3 --- /dev/null +++ b/modules/restrictshell/manifests/allow_upload_bin.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_upload_bin { + allow{ 'upload_bin': } +} diff --git a/modules/restrictshell/manifests/init.pp b/modules/restrictshell/manifests/init.pp index bf1dfd04..c27f26dc 100644 --- a/modules/restrictshell/manifests/init.pp +++ b/modules/restrictshell/manifests/init.pp @@ -1,76 +1 @@ -class restrictshell { - class shell { - file {"/etc/membersh-conf.d": - ensure => directory, - owner => root, - group => root, - mode => 755, - } - - file { '/usr/local/bin/sv_membersh.pl': - ensure => present, - owner => root, - group => root, - mode => 755, - content => template("restrictshell/sv_membersh.pl"), - } - - file { '/etc/membersh-conf.pl': - ensure => present, - owner => root, - group => root, - mode => 755, - content => template("restrictshell/membersh-conf.pl"), - } - } - - define allow { - include shell - file { "/etc/membersh-conf.d/allow_$name.pl": - ensure => "present", - owner => root, - group => root, - mode => 755, - content => "\$use_$name = 1;\n", - } - } - - # yes, we could directly use the allow, but this is - # a nicer syntax - class allow_git { - allow{ "git": } - } - - class allow_rsync { - allow{ "rsync": } - } - - class allow_pkgsubmit { - allow{ "pkgsubmit": } - } - - class allow_svn { - allow{ "svn": } - } - - class allow_scp { - allow{ "scp": } - } - - class allow_sftp { - allow{ "sftp": } - } - - class allow_maintdb { - allow{ "maintdb": } - } - - class allow_upload_bin { - allow{ "upload_bin": } - } - - # technically, we could add cvs too - # but I doubt we will use it one day - - -} +class restrictshell { } diff --git a/modules/restrictshell/manifests/shell.pp b/modules/restrictshell/manifests/shell.pp new file mode 100644 index 00000000..3ef2a036 --- /dev/null +++ b/modules/restrictshell/manifests/shell.pp @@ -0,0 +1,14 @@ +class restrictshell::shell { + file { '/etc/membersh-conf.d': + ensure => directory, + } + + mga_common::local_script { 'sv_membersh.pl': + content => template('restrictshell/sv_membersh.pl'), + } + + file { '/etc/membersh-conf.pl': + mode => '0755', + content => template('restrictshell/membersh-conf.pl'), + } +} diff --git a/modules/restrictshell/templates/membersh-conf.pl b/modules/restrictshell/templates/membersh-conf.pl index ea7d2957..9e0c8bf5 100755 --- a/modules/restrictshell/templates/membersh-conf.pl +++ b/modules/restrictshell/templates/membersh-conf.pl @@ -5,13 +5,13 @@ $regexp_svn = "^svnserve -t\$"; #@prepend_args_svn = ( '-r', '/svn' ); @prepend_args_svn = (); -$bin_git = "/usr/bin/git-shell"; +$bin_git = "/usr/share/gitolite/gitolite-shell"; $bin_rsync = "/usr/bin/rsync"; $regexp_rsync = "^rsync --server"; $regexp_dir_rsync = "^/.*"; -$bin_sftp = "<%= lib_dir %>/ssh/sftp-server"; +$bin_sftp = "<%= @lib_dir %>/ssh/sftp-server"; $regexp_sftp = "^(/usr/lib{64,}/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)"; foreach my $f (glob("/etc/membersh-conf.d/allow_*pl")) { diff --git a/modules/restrictshell/templates/sv_membersh.pl b/modules/restrictshell/templates/sv_membersh.pl index 155bc300..0b07f23a 100644 --- a/modules/restrictshell/templates/sv_membersh.pl +++ b/modules/restrictshell/templates/sv_membersh.pl @@ -147,10 +147,11 @@ if ($#ARGV == 1 and $ARGV[0] eq "-c") { push( @args, @args_user ); exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!"); - } elsif ($use_git and $ARGV[1] =~ m:^git-.+:) { + } elsif ($use_git and $ARGV[1] =~ m:^$bin_git\b:) { - # Delegate filtering to git-shell - exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!"); + # Delegate filtering to gitolite-shell + my ($gitolite_bin, @rest) = split(' ', $ARGV[1]); + exec($bin_git, @rest) or die("Failed to exec $bin_git: $!"); } elsif ($use_pkgsubmit and $ARGV[1] =~ m:$regexp_pkgsubmit:) { @@ -169,7 +170,7 @@ if ($#ARGV == 1 and $ARGV[0] eq "-c") { } unless (-e "/etc/membersh-errormsg") { - if ($ARGV) { + if (@ARGV) { print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; } else { print STDERR "You tried to run a interactive shell.\n" |