aboutsummaryrefslogtreecommitdiffstats
path: root/modules/restrictshell
diff options
context:
space:
mode:
authorNicolas Vigier <boklm@mageia.org>2010-11-02 17:55:53 +0000
committerNicolas Vigier <boklm@mageia.org>2010-11-02 17:55:53 +0000
commit3fa85d8cc6eb8206a708db2ce1229ef77f956734 (patch)
treebc722cc0cc66c64220668795f28fc9ba8593bf4d /modules/restrictshell
parent6c79ca599c43a2a512f3ee0368800f44264d5b44 (diff)
downloadpuppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar
puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar.gz
puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar.bz2
puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.tar.xz
puppet-3fa85d8cc6eb8206a708db2ce1229ef77f956734.zip
add module to install shell to restrict access to only svn, git, and later package submit
Diffstat (limited to 'modules/restrictshell')
-rw-r--r--modules/restrictshell/manifests/init.pp29
-rwxr-xr-xmodules/restrictshell/templates/membersh-conf.pl13
-rw-r--r--modules/restrictshell/templates/sv_membersh.pl150
3 files changed, 192 insertions, 0 deletions
diff --git a/modules/restrictshell/manifests/init.pp b/modules/restrictshell/manifests/init.pp
new file mode 100644
index 00000000..b10c7915
--- /dev/null
+++ b/modules/restrictshell/manifests/init.pp
@@ -0,0 +1,29 @@
+#TODO: add support for pkgsubmit
+class restrictshell {
+ $allow_svn = "0"
+ $allow_git = "0"
+ $allow_rsync = "0"
+ $allow_pkgsubmit = "0"
+
+ class allow_svn_git_pkgsubmit {
+ $allow_svn = "1"
+ $allow_git = "1"
+ $allow_pkgsubmit = "1"
+ }
+
+ file { '/usr/local/bin/sv_membersh.pl':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 755,
+ content => template("restrictshell/sv_membersh.pl"),
+ }
+
+ file { '/etc/membersh-conf.pl':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 755,
+ content => template("restrictshell/membersh-conf.pl"),
+ }
+}
diff --git a/modules/restrictshell/templates/membersh-conf.pl b/modules/restrictshell/templates/membersh-conf.pl
new file mode 100755
index 00000000..ee80052f
--- /dev/null
+++ b/modules/restrictshell/templates/membersh-conf.pl
@@ -0,0 +1,13 @@
+$use_svn = "<%= allow_svn %>";
+$bin_svn = "/usr/bin/svnserve";
+$regexp_svn = "^svnserve -t\$";
+#@prepend_args_svn = ( '-r', '/svn' );
+@prepend_args_svn = ();
+
+$use_git = "<%= allow_git %>";
+$bin_git = "/usr/bin/git-shell";
+
+$use_rsync = "<%= allow_rsync %>";
+$bin_rsync = "/usr/bin/rsync";
+$regexp_rsync = "^rsync --server";
+$regexp_dir_rsync = "^/.*";
diff --git a/modules/restrictshell/templates/sv_membersh.pl b/modules/restrictshell/templates/sv_membersh.pl
new file mode 100644
index 00000000..e7aaa8cf
--- /dev/null
+++ b/modules/restrictshell/templates/sv_membersh.pl
@@ -0,0 +1,150 @@
+#!/usr/bin/perl
+# This file is part of the Savane project
+# <http://gna.org/projects/savane/>
+#
+# $Id$
+#
+# Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org>
+# Mathieu Roy <yeupou--gnu.org>
+# Timothee Besset <ttimo--ttimo.net>
+#
+# The Savane project is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# The Savane project is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with the Savane project; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+#
+#
+
+# Login shell for people who should only have limited access.
+# You probably should add/modify the following option of your sshd_config
+# like below (see sshd_config manual for more details):
+# PermitEmptyPasswords no
+# PasswordAuthentication no
+# AllowTcpForwarding no
+
+use strict;
+
+$ENV{PATH}="/bin:/usr/bin";
+$ENV{CVSEDITOR}="/bin/false";
+
+# Import conf options
+our $use_cvs = "0";
+our $bin_cvs = "/usr/bin/cvs";
+
+our $use_scp = "0";
+our $bin_scp = "/usr/bin/scp";
+our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)";
+
+our $use_sftp = "0";
+our $bin_sftp = "/usr/lib/sftp-server";
+our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)";
+
+our $use_rsync = "0";
+our $bin_rsync = "/usr/bin/rsync";
+our $regexp_rsync = "^rsync --server";
+our $regexp_dir_rsync = "^(/upload)|(/var/ftp)";
+
+our $use_svn = "0";
+our $bin_svn = "/usr/bin/svnserve";
+our $regexp_svn = "^svnserve -t";
+our @prepend_args_svn = ( '-r', '/svn' );
+
+our $use_git = "0";
+our $bin_git = "/usr/bin/git-shell";
+
+# Open configuration file
+if (-e "/etc/membersh-conf.pl") {
+ do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting";
+} else {
+ die "System misconfiguration, contact administrators. Exiting";
+}
+
+# A configuration file /etc/membersh-conf.pl must exists and be executable.
+# Here come an example:
+#
+# $use_cvs = "1";
+# $bin_cvs = "/usr/bin/cvs";
+#
+# $use_scp = "1";
+# $bin_scp = "/usr/bin/scp";
+# $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)";
+
+# $use_sftp = "1";
+# $bin_sftp = "/usr/lib/sftp-server";
+# $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)";
+#
+# $use_rsync = "1";
+# $bin_rsync = "/usr/bin/rsync";
+# $regexp_rsync = "^rsync --server";
+# $regexp_dir_rsync = "^(/upload)|(/var/ftp)";
+
+
+if ($#ARGV == 1 and $ARGV[0] eq "-c") {
+ if ($use_cvs and $ARGV[1] eq 'cvs server') {
+
+ # Run a cvs server command
+ exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!");
+
+ } elsif ($use_scp and
+ $ARGV[1] =~ m:$regexp_scp:) {
+
+ # Authorize scp command
+ my (@args) = split(' ', $ARGV[1]);
+ shift(@args);
+ exec($bin_scp, @args);
+
+ } elsif ($use_sftp and
+ $ARGV[1] =~ m:$regexp_sftp:) {
+
+ # Authorize sftp login
+ exec($bin_sftp) or die("Failed to exec $bin_sftp: $!");
+
+ } elsif ($use_rsync and
+ $ARGV[1] =~ m:$regexp_rsync:) {
+
+ my ($rsync, @rest) = split(' ', $ARGV[1]);
+ my ($dir) = $rest[$#rest];
+
+ # Authorize rsync command, if the directory is acceptable
+ if ($dir =~ m:$regexp_dir_rsync:) {
+ exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!");
+ }
+
+ } elsif ($use_svn and
+ $ARGV[1] =~ m:$regexp_svn:) {
+
+ # authorize svnserve in tunnel mode, with the svn root prepended
+ my (@args) = @prepend_args_svn;
+ my (@args_user) = split(' ', $ARGV[1]);
+ shift( @args_user );
+ push( @args, @args_user );
+ exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!");
+
+ } elsif ($use_git and $ARGV[1] =~ m:git-.+:) {
+
+ # Delegate filtering to git-shell
+ exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!");
+
+ }
+}
+
+unless (-e "/etc/membersh-errormsg") {
+ print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n";
+ print STDERR "Sorry, you are not allowed to execute that command.\n";
+} else {
+ open(ERRORMSG, "< /etc/membersh-errormsg");
+ while (<ERRORMSG>) {
+ print STDERR $_;
+ }
+ close(ERRORMSG);
+}
+exit(1);