diff options
Diffstat (limited to 'modules/restrictshell')
| -rw-r--r-- | modules/restrictshell/manifests/allow.pp | 7 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_git.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_maintdb.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_pkgsubmit.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_rsync.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_scp.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_sftp.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_svn.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/allow_upload_bin.pp | 3 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/init.pp | 56 | ||||
| -rw-r--r-- | modules/restrictshell/manifests/shell.pp | 14 | ||||
| -rwxr-xr-x | modules/restrictshell/templates/ldap-sshkey2file.py | 92 | ||||
| -rwxr-xr-x | modules/restrictshell/templates/membersh-conf.pl | 14 | ||||
| -rw-r--r-- | modules/restrictshell/templates/sv_membersh.pl | 39 |
14 files changed, 88 insertions, 158 deletions
diff --git a/modules/restrictshell/manifests/allow.pp b/modules/restrictshell/manifests/allow.pp new file mode 100644 index 00000000..cb1fd9a2 --- /dev/null +++ b/modules/restrictshell/manifests/allow.pp @@ -0,0 +1,7 @@ +define restrictshell::allow { + include shell + file { "/etc/membersh-conf.d/allow_${name}.pl": + mode => '0755', + content => "\$use_${name} = 1;\n", + } +} diff --git a/modules/restrictshell/manifests/allow_git.pp b/modules/restrictshell/manifests/allow_git.pp new file mode 100644 index 00000000..ed12a577 --- /dev/null +++ b/modules/restrictshell/manifests/allow_git.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_git { + restrictshell::allow { 'git': } +} diff --git a/modules/restrictshell/manifests/allow_maintdb.pp b/modules/restrictshell/manifests/allow_maintdb.pp new file mode 100644 index 00000000..e5123cf1 --- /dev/null +++ b/modules/restrictshell/manifests/allow_maintdb.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_maintdb { + restrictshell::allow{ 'maintdb': } +} diff --git a/modules/restrictshell/manifests/allow_pkgsubmit.pp b/modules/restrictshell/manifests/allow_pkgsubmit.pp new file mode 100644 index 00000000..14c6357b --- /dev/null +++ b/modules/restrictshell/manifests/allow_pkgsubmit.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_pkgsubmit { + restrictshell::allow { 'pkgsubmit': } +} diff --git a/modules/restrictshell/manifests/allow_rsync.pp b/modules/restrictshell/manifests/allow_rsync.pp new file mode 100644 index 00000000..6049122a --- /dev/null +++ b/modules/restrictshell/manifests/allow_rsync.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_rsync { + restrictshell::allow { 'rsync': } +} diff --git a/modules/restrictshell/manifests/allow_scp.pp b/modules/restrictshell/manifests/allow_scp.pp new file mode 100644 index 00000000..3e6cb1fb --- /dev/null +++ b/modules/restrictshell/manifests/allow_scp.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_scp { + restrictshell::allow{ 'scp': } +} diff --git a/modules/restrictshell/manifests/allow_sftp.pp b/modules/restrictshell/manifests/allow_sftp.pp new file mode 100644 index 00000000..55c1f396 --- /dev/null +++ b/modules/restrictshell/manifests/allow_sftp.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_sftp { + restrictshell::allow { 'sftp': } +} diff --git a/modules/restrictshell/manifests/allow_svn.pp b/modules/restrictshell/manifests/allow_svn.pp new file mode 100644 index 00000000..99b2c9fa --- /dev/null +++ b/modules/restrictshell/manifests/allow_svn.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_svn { + restrictshell::allow{ 'svn': } +} diff --git a/modules/restrictshell/manifests/allow_upload_bin.pp b/modules/restrictshell/manifests/allow_upload_bin.pp new file mode 100644 index 00000000..b55c41b3 --- /dev/null +++ b/modules/restrictshell/manifests/allow_upload_bin.pp @@ -0,0 +1,3 @@ +class restrictshell::allow_upload_bin { + allow{ 'upload_bin': } +} diff --git a/modules/restrictshell/manifests/init.pp b/modules/restrictshell/manifests/init.pp index c4569e94..c27f26dc 100644 --- a/modules/restrictshell/manifests/init.pp +++ b/modules/restrictshell/manifests/init.pp @@ -1,55 +1 @@ -class restrictshell { - $allow_svn = "0" - $allow_git = "0" - $allow_rsync = "0" - $allow_pkgsubmit = "0" - - $ldap_pwfile = "/etc/ldap.secret" - - class allow_svn_git_pkgsubmit { - $allow_svn = "1" - $allow_git = "1" - $allow_pkgsubmit = "1" - } - - file { '/usr/local/bin/sv_membersh.pl': - ensure => present, - owner => root, - group => root, - mode => 755, - content => template("restrictshell/sv_membersh.pl"), - } - - file { '/etc/membersh-conf.pl': - ensure => present, - owner => root, - group => root, - mode => 755, - content => template("restrictshell/membersh-conf.pl"), - } - - package { 'python-ldap': - ensure => installed, - } - - $pubkeys_directory = "/var/lib/pubkeys" - file { $pubkeys_directory: - ensure => directory, - owner => root, - group => root, - mode => 755, - } - - file { '/usr/local/bin/ldap-sshkey2file.py': - ensure => present, - owner => root, - group => root, - mode => 755, - content => template("restrictshell/ldap-sshkey2file.py"), - requires => Package['python-ldap'] - } - - - - -} +class restrictshell { } diff --git a/modules/restrictshell/manifests/shell.pp b/modules/restrictshell/manifests/shell.pp new file mode 100644 index 00000000..3ef2a036 --- /dev/null +++ b/modules/restrictshell/manifests/shell.pp @@ -0,0 +1,14 @@ +class restrictshell::shell { + file { '/etc/membersh-conf.d': + ensure => directory, + } + + mga_common::local_script { 'sv_membersh.pl': + content => template('restrictshell/sv_membersh.pl'), + } + + file { '/etc/membersh-conf.pl': + mode => '0755', + content => template('restrictshell/membersh-conf.pl'), + } +} diff --git a/modules/restrictshell/templates/ldap-sshkey2file.py b/modules/restrictshell/templates/ldap-sshkey2file.py deleted file mode 100755 index ec5afc8e..00000000 --- a/modules/restrictshell/templates/ldap-sshkey2file.py +++ /dev/null @@ -1,92 +0,0 @@ -#!/usr/bin/python - -import sys -import os -import random - -try: - import ldap -except ImportError, e: - print "Please install python-ldap before running this program" - sys.exit(1) - -basedn="<%= dc_suffix %>" -peopledn="ou=people,%s" % basedn -uris=['ldap://ldap.<%= domain %>'] -random.shuffle(uris) -uri = " ".join(uris) -timeout=5 -binddn="cn=<%= fqdn %>,ou=Hosts," % basedn -pwfile="<%= ldap_pwfile %>" -# filter out disabled accounts also -# too bad uidNumber doesn't support >= filters -filter="(&(objectClass=inetOrgPerson)(objectClass=ldapPublicKey)(objectClass=posixAccount)(sshPublicKey=*)(!(shadowExpire=*)))" -keypathprefix="<%= pubkeys_directory %>" - -def usage(): - print "%s" % sys.argv[0] - print - print "Will fetch all enabled user accounts under %s" % peopledn - print "with ssh keys in them and write each one to" - print "%s/<login>/authorized_keys" % keypathprefix - print - print "This script is intented to be run from cron as root" - print - -def get_pw(pwfile): - try: - f = open(pwfile, 'r') - except IOError, e: - print "Error while reading password file, aborting" - print e - sys.exit(1) - pw = f.readline().strip() - f.close() - return pw - -def write_keys(keys, user, uid, gid): - try: - os.makedirs("%s/%s" % (keypathprefix,user), 0700) - except: - pass - keyfile = "%s/%s/authorized_keys" % (keypathprefix,user) - f = open(keyfile, 'w') - for key in keys: - f.write(key.strip() + "\n") - f.close() - os.chmod(keyfile, 0600) - os.chown(keyfile, uid, gid) - os.chmod("%s/%s" % (keypathprefix,user), 0700) - os.chown("%s/%s" % (keypathprefix,user), uid, gid) - -if len(sys.argv) != 1: - usage() - sys.exit(1) - -bindpw = get_pw(pwfile) - -try: - ld = ldap.initialize(uri) - ld.set_option(ldap.OPT_NETWORK_TIMEOUT, timeout) - ld.start_tls_s() - ld.bind_s(binddn, bindpw) - res = ld.search_s(peopledn, ldap.SCOPE_ONELEVEL, filter, ['uid','sshPublicKey','uidNumber','gidNumber']) - try: - os.makedirs(keypathprefix, 0701) - except: - pass - for result in res: - dn, entry = result - # skip possible system users - if int(entry['uidNumber'][0]) < 500: - continue - write_keys(entry['sshPublicKey'], entry['uid'][0], int(entry['uidNumber'][0]), int(entry['gidNumber'][0])) - ld.unbind_s() -except Exception, e: - print "Error" - raise - -sys.exit(0) - - -# vim:ts=4:sw=4:et:ai:si diff --git a/modules/restrictshell/templates/membersh-conf.pl b/modules/restrictshell/templates/membersh-conf.pl index 0d9887e1..9e0c8bf5 100755 --- a/modules/restrictshell/templates/membersh-conf.pl +++ b/modules/restrictshell/templates/membersh-conf.pl @@ -1,16 +1,20 @@ -$use_svn = "<%= allow_svn %>"; + + $bin_svn = "/usr/bin/svnserve"; $regexp_svn = "^svnserve -t\$"; #@prepend_args_svn = ( '-r', '/svn' ); @prepend_args_svn = (); -$use_git = "<%= allow_git %>"; -$bin_git = "/usr/bin/git-shell"; +$bin_git = "/usr/share/gitolite/gitolite-shell"; -$use_rsync = "<%= allow_rsync %>"; $bin_rsync = "/usr/bin/rsync"; $regexp_rsync = "^rsync --server"; $regexp_dir_rsync = "^/.*"; -$use_pkgsubmit = "<%= allow_pkgsubmit %>"; +$bin_sftp = "<%= @lib_dir %>/ssh/sftp-server"; +$regexp_sftp = "^(/usr/lib{64,}/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)"; +foreach my $f (glob("/etc/membersh-conf.d/allow_*pl")) { + do($f) +} +1; diff --git a/modules/restrictshell/templates/sv_membersh.pl b/modules/restrictshell/templates/sv_membersh.pl index 521587d0..0b07f23a 100644 --- a/modules/restrictshell/templates/sv_membersh.pl +++ b/modules/restrictshell/templates/sv_membersh.pl @@ -62,8 +62,16 @@ our $use_git = "0"; our $bin_git = "/usr/bin/git-shell"; our $use_pkgsubmit = "0"; -our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm "; -our $bin_pkgsubmit = "/usr/share/repsys/create-srpm"; +our $regexp_pkgsubmit = "^/usr/share/repsys/create-srpm |^/usr/local/bin/submit_package "; +our $bin_pkgsubmit = "/usr/local/bin/submit_package"; + +our $use_maintdb = "0"; +our $regexp_maintdb = "^/usr/local/bin/wrapper.maintdb "; +our $bin_maintdb = "/usr/local/bin/wrapper.maintdb"; + +our $use_upload_bin = "0"; +our $regexp_upload_bin = "^/usr/local/bin/wrapper.upload-bin "; +our $bin_upload_bin = "/usr/local/bin/wrapper.upload-bin"; # Open configuration file if (-e "/etc/membersh-conf.pl") { @@ -92,6 +100,10 @@ if (-e "/etc/membersh-conf.pl") { # $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; # # $use_pkgsubmit = "1"; +# +# $use_maintdb = "1"; +# +# $use_upload_bin = "1"; if ($#ARGV == 1 and $ARGV[0] eq "-c") { @@ -135,22 +147,37 @@ if ($#ARGV == 1 and $ARGV[0] eq "-c") { push( @args, @args_user ); exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!"); - } elsif ($use_git and $ARGV[1] =~ m:git-.+:) { + } elsif ($use_git and $ARGV[1] =~ m:^$bin_git\b:) { - # Delegate filtering to git-shell - exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!"); + # Delegate filtering to gitolite-shell + my ($gitolite_bin, @rest) = split(' ', $ARGV[1]); + exec($bin_git, @rest) or die("Failed to exec $bin_git: $!"); } elsif ($use_pkgsubmit and $ARGV[1] =~ m:$regexp_pkgsubmit:) { my ($createsrpm, @rest) = split(' ', $ARGV[1]); exec($bin_pkgsubmit, @rest) or die("Failed to exec $bin_pkgsubmit: $!"); + } elsif ($use_maintdb and + $ARGV[1] =~ m:$regexp_maintdb:) { + my ($maintdb, @rest) = split(' ', $ARGV[1]); + exec($bin_maintdb, @rest) or die("Failed to exec $bin_maintdb: $!"); + } elsif ($use_upload_bin and + $ARGV[1] =~ m:$regexp_upload_bin:) { + my ($upload_bin, @rest) = split(' ', $ARGV[1]); + exec($bin_upload_bin, @rest) or die("Failed to exec $bin_upload_bin: $!"); } } unless (-e "/etc/membersh-errormsg") { - print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; + if (@ARGV) { + print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; + } else { + print STDERR "You tried to run a interactive shell.\n" + } print STDERR "Sorry, you are not allowed to execute that command.\n"; + print STDERR "You are member of the following groups :\n"; + print STDERR qx(groups); } else { open(ERRORMSG, "< /etc/membersh-errormsg"); while (<ERRORMSG>) { |