diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000160.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-November/000160.html | 315 |
1 files changed, 315 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000160.html b/zarb-ml/mageia-sysadm/2010-November/000160.html new file mode 100644 index 000000000..ba272f230 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000160.html @@ -0,0 +1,315 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] [78] add module to install shell to restrict access to only svn, git, and later package submit + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B78%5D%20add%20module%20to%20install%20shell%20to%20restrict%20access%0A%20to%20only%20svn%2C%20git%2C%20and%20later%20package%20submit&In-Reply-To=%3C20101102175553.496622B170%40krampouezh.mageia.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000158.html"> + <LINK REL="Next" HREF="000170.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] [78] add module to install shell to restrict access to only svn, git, and later package submit</H1> + <B>root at mageia.org</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B78%5D%20add%20module%20to%20install%20shell%20to%20restrict%20access%0A%20to%20only%20svn%2C%20git%2C%20and%20later%20package%20submit&In-Reply-To=%3C20101102175553.496622B170%40krampouezh.mageia.org%3E" + TITLE="[Mageia-sysadm] [78] add module to install shell to restrict access to only svn, git, and later package submit">root at mageia.org + </A><BR> + <I>Tue Nov 2 18:55:53 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000158.html">[Mageia-sysadm] [77] add champagne in dns +</A></li> + <LI>Next message: <A HREF="000170.html">[Mageia-sysadm] [79] - add buchan key +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#160">[ date ]</a> + <a href="thread.html#160">[ thread ]</a> + <a href="subject.html#160">[ subject ]</a> + <a href="author.html#160">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Revision: 78 +Author: boklm +Date: 2010-11-02 18:55:53 +0100 (Tue, 02 Nov 2010) +Log Message: +----------- +add module to install shell to restrict access to only svn, git, and later package submit + +Added Paths: +----------- + puppet/modules/restrictshell/ + puppet/modules/restrictshell/manifests/ + puppet/modules/restrictshell/manifests/init.pp + puppet/modules/restrictshell/templates/ + puppet/modules/restrictshell/templates/membersh-conf.pl + puppet/modules/restrictshell/templates/sv_membersh.pl + +Added: puppet/modules/restrictshell/manifests/init.pp +=================================================================== +--- puppet/modules/restrictshell/manifests/init.pp (rev 0) ++++ puppet/modules/restrictshell/manifests/init.pp 2010-11-02 17:55:53 UTC (rev 78) +@@ -0,0 +1,29 @@ ++#TODO: add support for pkgsubmit ++class restrictshell { ++ $allow_svn = "0" ++ $allow_git = "0" ++ $allow_rsync = "0" ++ $allow_pkgsubmit = "0" ++ ++ class allow_svn_git_pkgsubmit { ++ $allow_svn = "1" ++ $allow_git = "1" ++ $allow_pkgsubmit = "1" ++ } ++ ++ file { '/usr/local/bin/sv_membersh.pl': ++ ensure => present, ++ owner => root, ++ group => root, ++ mode => 755, ++ content => template("restrictshell/sv_membersh.pl"), ++ } ++ ++ file { '/etc/membersh-conf.pl': ++ ensure => present, ++ owner => root, ++ group => root, ++ mode => 755, ++ content => template("restrictshell/membersh-conf.pl"), ++ } ++} + +Added: puppet/modules/restrictshell/templates/membersh-conf.pl +=================================================================== +--- puppet/modules/restrictshell/templates/membersh-conf.pl (rev 0) ++++ puppet/modules/restrictshell/templates/membersh-conf.pl 2010-11-02 17:55:53 UTC (rev 78) +@@ -0,0 +1,13 @@ ++$use_svn = "<%= allow_svn %>"; ++$bin_svn = "/usr/bin/svnserve"; ++$regexp_svn = "^svnserve -t\$"; ++#@prepend_args_svn = ( '-r', '/svn' ); +<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">+ at prepend_args_svn</A> = (); ++ ++$use_git = "<%= allow_git %>"; ++$bin_git = "/usr/bin/git-shell"; ++ ++$use_rsync = "<%= allow_rsync %>"; ++$bin_rsync = "/usr/bin/rsync"; ++$regexp_rsync = "^rsync --server"; ++$regexp_dir_rsync = "^/.*"; + + +Property changes on: puppet/modules/restrictshell/templates/membersh-conf.pl +___________________________________________________________________ +Added: svn:executable + + * + +Added: puppet/modules/restrictshell/templates/sv_membersh.pl +=================================================================== +--- puppet/modules/restrictshell/templates/sv_membersh.pl (rev 0) ++++ puppet/modules/restrictshell/templates/sv_membersh.pl 2010-11-02 17:55:53 UTC (rev 78) +@@ -0,0 +1,150 @@ ++#!/usr/bin/perl ++# This file is part of the Savane project ++# <<A HREF="http://gna.org/projects/savane/">http://gna.org/projects/savane/</A>> ++# ++# $Id$ ++# ++# Copyright 2004-2005 (c) Loic Dachary <loic--gnu.org> ++# Mathieu Roy <yeupou--gnu.org> ++# Timothee Besset <ttimo--ttimo.net> ++# ++# The Savane project is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License ++# as published by the Free Software Foundation; either version 2 ++# of the License, or (at your option) any later version. ++# ++# The Savane project is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with the Savane project; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++# ++# ++ ++# Login shell for people who should only have limited access. ++# You probably should add/modify the following option of your sshd_config ++# like below (see sshd_config manual for more details): ++# PermitEmptyPasswords no ++# PasswordAuthentication no ++# AllowTcpForwarding no ++ ++use strict; ++ ++$ENV{PATH}="/bin:/usr/bin"; ++$ENV{CVSEDITOR}="/bin/false"; ++ ++# Import conf options ++our $use_cvs = "0"; ++our $bin_cvs = "/usr/bin/cvs"; ++ ++our $use_scp = "0"; ++our $bin_scp = "/usr/bin/scp"; ++our $regexp_scp = "^(scp .*-t /upload)|(scp .*-t /var/ftp)"; ++ ++our $use_sftp = "0"; ++our $bin_sftp = "/usr/lib/sftp-server"; ++our $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server|/usr/lib/openssh/sftp-server)"; ++ ++our $use_rsync = "0"; ++our $bin_rsync = "/usr/bin/rsync"; ++our $regexp_rsync = "^rsync --server"; ++our $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; ++ ++our $use_svn = "0"; ++our $bin_svn = "/usr/bin/svnserve"; ++our $regexp_svn = "^svnserve -t"; ++our @prepend_args_svn = ( '-r', '/svn' ); ++ ++our $use_git = "0"; ++our $bin_git = "/usr/bin/git-shell"; ++ ++# Open configuration file ++if (-e "/etc/membersh-conf.pl") { ++ do "/etc/membersh-conf.pl" or die "System misconfiguration, contact administrators. Exiting"; ++} else { ++ die "System misconfiguration, contact administrators. Exiting"; ++} ++ ++# A configuration file /etc/membersh-conf.pl must exists and be executable. ++# Here come an example: ++# ++# $use_cvs = "1"; ++# $bin_cvs = "/usr/bin/cvs"; ++# ++# $use_scp = "1"; ++# $bin_scp = "/usr/bin/scp"; ++# $regexp_scp = "^scp .*-t (/upload)|(/var/ftp)"; ++ ++# $use_sftp = "1"; ++# $bin_sftp = "/usr/lib/sftp-server"; ++# $regexp_sftp = "^(/usr/lib/ssh/sftp-server|/usr/lib/sftp-server|/usr/libexec/sftp-server)"; ++# ++# $use_rsync = "1"; ++# $bin_rsync = "/usr/bin/rsync"; ++# $regexp_rsync = "^rsync --server"; ++# $regexp_dir_rsync = "^(/upload)|(/var/ftp)"; ++ ++ ++if ($#ARGV == 1 and $ARGV[0] eq "-c") { ++ if ($use_cvs and $ARGV[1] eq 'cvs server') { ++ ++ # Run a cvs server command ++ exec($bin_cvs, 'server') or die("Failed to exec $bin_cvs: $!"); ++ ++ } elsif ($use_scp and ++ $ARGV[1] =~ m:$regexp_scp:) { ++ ++ # Authorize scp command ++ my (@args) = split(' ', $ARGV[1]); ++ shift(@args); ++ exec($bin_scp, @args); ++ ++ } elsif ($use_sftp and ++ $ARGV[1] =~ m:$regexp_sftp:) { ++ ++ # Authorize sftp login ++ exec($bin_sftp) or die("Failed to exec $bin_sftp: $!"); ++ ++ } elsif ($use_rsync and ++ $ARGV[1] =~ m:$regexp_rsync:) { ++ ++ my ($rsync, @rest) = split(' ', $ARGV[1]); ++ my ($dir) = $rest[$#rest]; ++ ++ # Authorize rsync command, if the directory is acceptable ++ if ($dir =~ m:$regexp_dir_rsync:) { ++ exec($bin_rsync, @rest) or die("Failed to exec $bin_rsync: $!"); ++ } ++ ++ } elsif ($use_svn and ++ $ARGV[1] =~ m:$regexp_svn:) { ++ ++ # authorize svnserve in tunnel mode, with the svn root prepended ++ my (@args) = @prepend_args_svn; ++ my (@args_user) = split(' ', $ARGV[1]); ++ shift( @args_user ); ++ push( @args, @args_user ); ++ exec($bin_svn, @args) or die("Failed to exec $bin_svn: $!"); ++ ++ } elsif ($use_git and $ARGV[1] =~ m:git-.+:) { ++ ++ # Delegate filtering to git-shell ++ exec($bin_git, @ARGV) or die("Failed to exec $bin_git: $!"); ++ ++ } ++} ++ ++unless (-e "/etc/membersh-errormsg") { ++ print STDERR "You tried to execute: @ARGV[1..$#ARGV]\n"; ++ print STDERR "Sorry, you are not allowed to execute that command.\n"; ++} else { ++ open(ERRORMSG, "< /etc/membersh-errormsg"); ++ while (<ERRORMSG>) { ++ print STDERR $_; ++ } ++ close(ERRORMSG); ++} ++exit(1); +-------------- next part -------------- +An HTML attachment was scrubbed... +URL: </pipermail/mageia-sysadm/attachments/20101102/51ca00d6/attachment-0001.html> +</PRE> + + + + + + + + + + + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000158.html">[Mageia-sysadm] [77] add champagne in dns +</A></li> + <LI>Next message: <A HREF="000170.html">[Mageia-sysadm] [79] - add buchan key +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#160">[ date ]</a> + <a href="thread.html#160">[ thread ]</a> + <a href="subject.html#160">[ subject ]</a> + <a href="author.html#160">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |