diff options
author | Nicolas Vigier <boklm@mageia.org> | 2010-11-02 17:55:53 +0000 |
---|---|---|
committer | Nicolas Vigier <boklm@mageia.org> | 2010-11-02 17:55:53 +0000 |
commit | 3fa85d8cc6eb8206a708db2ce1229ef77f956734 (patch) | |
tree | bc722cc0cc66c64220668795f28fc9ba8593bf4d /modules/restrictshell | |
parent | 6c79ca599c43a2a512f3ee0368800f44264d5b44 (diff) | |
download | puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar.gz puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar.bz2 puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar.xz puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.zip |
add module to install shell to restrict access to only svn, git, and later package submit
Diffstat (limited to 'modules/restrictshell')
-rw-r--r-- | modules/restrictshell/manifests/init.pp | 29 | ||||
-rwxr-xr-x | modules/restrictshell/templates/membersh-conf.pl | 13 | ||||
-rw-r--r-- | modules/restrictshell/templates/sv_membersh.pl | 150 |
3 files changed, 192 insertions, 0 deletions
diff --git a/modules/restrictshell/manifests/init.pp b/modules/restrictshell/manifests/init.pp new file mode 100644 index 00000000..b10c7915 --- /dev/null +++ b/modules/restrictshell/manifests/init.pp @@ -0,0 +1,29 @@ +#TODO: add support for pkgsubmit +class restrictshell { + $allow_svn = "0" + $allow_git = "0" + $allow_rsync = "0" + $allow_pkgsubmit = "0" + + class allow_svn_git_pkgsubmit { + $allow_svn = "1" + $allow_git = "1" + $allow_pkgsubmit = "1" + } + + file { '/usr/local/bin/sv_membersh.pl': + ensure => present, + owner => root, + group => root, + mode => 755, + content => template("restrictshell/sv_membersh.pl"), + } + + file { '/etc/membersh-conf.pl': + ensure => present, + owner => root, + group => root, + mode => 755, + content => template("restrictshell/membersh-conf.pl"), + } +} diff --git a/modules/restrictshell/templates/membersh-conf.pl b/modules/restrictshell/templates/membersh-conf.pl new file mode 100755 index 00000000..ee80052f --- /dev/null +++ b/modules/restrictshell/templates/membersh-conf.pl @@ -0,0 +1,13 @@ +$use_svn = "<%= allow_svn %>"; +$bin_svn = "/usr/bin/svnserve"; +$regexp_svn = "^svnserve -t\$"; +#@prepend_args_svn = ( '-r', '/svn' ); +@prepend_args_svn = (); + +$use_git = "<%= allow_git %>"; +$bin_git = "/usr/bin/git-shell"; + +$use_rsync = "<%= allow_rsync %>"; +$bin_rsync = "/usr/bin/rsync"; +$regexp_rsync = "^rsync --server"; +$regexp_dir_rsync = "^/.*"; diff --git a/modules/restrictshell/templates/sv_membersh.pl b/modules/restrictshell/templates/sv_membersh.pl new file mode 100644 index 00000000..e7aaa8cf --- /dev/null +++ b/modules/restrictshell/templates/sv_membersh.pl @@ -0,0 +1,150 @@ +#!/usr/bin/perl +# This file is part of the Savane project +# <http://gna.org/projects/savane/> +# +# $Id$ +# +# Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org> +# Mathieu Roy <yeupou--gnu.org> +# Timothee Besset <ttimo--ttimo.net> +# +# The Savane project is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# The Savane project is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with the Savane project; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# +# + +# Login shell for people who should only have limited access. +# You probably should add/modify the following option of your sshd_config +# like below (see sshd_config manual for more details): +# PermitEmptyPasswords no +# PasswordAuthentication no +# AllowTcpForwarding no + +use strict; + +$ENV{PATH}="/bin:/usr/bin"; +$ENV{CVSEDITOR}="/bin/false"; + +# Import conf options +our $use_cvs = "0"; +our $bin_cvs = "/usr/bin/cvs"; + +our $use_scp = "0"; +our $bin_scp = "/usr/bin/scp"; +our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)"; + +our $use_sftp = "0"; +our $bin_sftp = "/usr/lib/sftp-server"; +our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)"; + +our $use_rsync = "0"; +our $bin_rsync = "/usr/bin/rsync"; +our $regexp_rsync = "^rsync --server"; +our $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; + +our $use_svn = "0"; +our $bin_svn = "/usr/bin/svnserve"; +our $regexp_svn = "^svnserve -t"; +our @prepend_args_svn = ( '-r', '/svn' ); + +our $use_git = "0"; +our $bin_git = "/usr/bin/git-shell"; + +# Open configuration file +if (-e "/etc/membersh-conf.pl") { + do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting"; +} else { + die "System misconfiguration, contact administrators. Exiting"; +} + +# A configuration file /etc/membersh-conf.pl must exists and be executable. +# Here come an example: +# +# $use_cvs = "1"; +# $bin_cvs = "/usr/bin/cvs"; +# +# $use_scp = "1"; +# $bin_scp = "/usr/bin/scp"; +# $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)"; + +# $use_sftp = "1"; +# $bin_sftp = "/usr/lib/sftp-server"; +# $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)"; +# +# $use_rsync = "1"; +# $bin_rsync = "/usr/bin/rsync"; +# $regexp_rsync = "^rsync --server"; +# $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; + + +if ($#ARGV == 1 and $ARGV[0] eq "-c") { + if ($use_cvs and $ARGV[1] eq 'cvs server') { + + # Run a cvs server command + exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!"); + + } elsif ($use_scp and + $ARGV[1] =~ m:$regexp_scp:) { + + # Authorize scp command + my (@args) = split(' ', $ARGV[1]); + shift(@args); + exec($bin_scp, @args); + + } elsif ($use_sftp and + $ARGV[1] =~ m:$regexp_sftp:) { + + # Authorize sftp login + exec($bin_sftp) or die("Failed to exec $bin_sftp: $!"); + + } elsif ($use_rsync and + $ARGV[1] =~ m:$regexp_rsync:) { + + my ($rsync, @rest) = split(' ', $ARGV[1]); + my ($dir) = $rest[$#rest]; + + # Authorize rsync command, if the directory is acceptable + if ($dir =~ m:$regexp_dir_rsync:) { + exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!"); + } + + } elsif ($use_svn and + $ARGV[1] =~ m:$regexp_svn:) { + + # authorize svnserve in tunnel mode, with the svn root prepended + my (@args) = @prepend_args_svn; + my (@args_user) = split(' ', $ARGV[1]); + shift( @args_user ); + push( @args, @args_user ); + exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!"); + + } elsif ($use_git and $ARGV[1] =~ m:git-.+:) { + + # Delegate filtering to git-shell + exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!"); + + } +} + +unless (-e "/etc/membersh-errormsg") { + print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; + print STDERR "Sorry, you are not allowed to execute that command.\n"; +} else { + open(ERRORMSG, "< /etc/membersh-errormsg"); + while (<ERRORMSG>) { + print STDERR $_; + } + close(ERRORMSG); +} +exit(1); |