2013-08-24 20:12:25 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
2015-07-02 14:38:29 +00:00
|
|
|
##### Osync ssh command filter build 2015070203
|
2013-08-24 20:12:25 +00:00
|
|
|
##### This script should be located in /usr/local/bin in the remote system to sync / backup
|
|
|
|
##### It will filter the commands that can be run remotely via ssh.
|
|
|
|
##### Please chmod 755 and chown root:root this file
|
|
|
|
|
|
|
|
##### Obackup needed commands: rsync find du mysql mysqldump (sudo)
|
|
|
|
##### Osync needed commands: rsync find du echo mkdir rm if df (sudo)
|
|
|
|
|
|
|
|
## If enabled, execution of "sudo" command will be allowed.
|
|
|
|
SUDO_EXEC=yes
|
|
|
|
## Paranoia option. Don't change this unless you read the documentation and still feel concerned about security issues.
|
|
|
|
RSYNC_EXECUTABLE=rsync
|
|
|
|
## Enable other commands, useful for remote execution hooks like remotely creating snapshots.
|
|
|
|
CMD1=
|
|
|
|
CMD2=
|
|
|
|
CMD3=
|
|
|
|
|
|
|
|
LOG_FILE=~/.ssh/ssh_filter.log
|
|
|
|
|
2015-09-08 14:08:14 +00:00
|
|
|
function Log {
|
2013-08-24 20:12:25 +00:00
|
|
|
DATE=$(date)
|
|
|
|
echo "$DATE - $1" >> $LOG_FILE
|
|
|
|
}
|
|
|
|
|
2015-09-08 14:08:14 +00:00
|
|
|
function Go {
|
2013-08-24 20:12:25 +00:00
|
|
|
eval $SSH_ORIGINAL_COMMAND
|
|
|
|
}
|
|
|
|
|
|
|
|
case ${SSH_ORIGINAL_COMMAND%% *} in
|
|
|
|
"$RSYNC_EXECUTABLE")
|
|
|
|
Go ;;
|
|
|
|
"echo")
|
|
|
|
Go ;;
|
|
|
|
"find")
|
|
|
|
Go ;;
|
|
|
|
"du")
|
|
|
|
Go ;;
|
|
|
|
"mkdir")
|
|
|
|
Go ;;
|
|
|
|
"rm")
|
|
|
|
Go ;;
|
|
|
|
"df")
|
|
|
|
Go ;;
|
2015-07-02 14:38:29 +00:00
|
|
|
"mv")
|
|
|
|
Go ;;
|
2013-08-24 20:12:25 +00:00
|
|
|
"$CMD1")
|
2015-09-08 14:08:14 +00:00
|
|
|
if [ "$CMD1" != "" ]; then
|
2015-07-02 14:37:05 +00:00
|
|
|
Go ;;
|
|
|
|
fi
|
2013-08-24 20:12:25 +00:00
|
|
|
"$CMD2")
|
2015-09-08 14:08:14 +00:00
|
|
|
if [ "$CMD2" != "" ]; then
|
2015-07-02 14:37:05 +00:00
|
|
|
Go ;;
|
|
|
|
fi
|
2013-08-24 20:12:25 +00:00
|
|
|
"$CMD3")
|
2015-09-08 14:08:14 +00:00
|
|
|
if [ "$CMD3" != "" ]; then
|
2015-07-02 14:37:05 +00:00
|
|
|
Go ;;
|
|
|
|
fi
|
2013-08-24 20:12:25 +00:00
|
|
|
"sudo")
|
2015-09-08 14:08:14 +00:00
|
|
|
if [ "$SUDO_EXEC" == "yes" ]; then
|
|
|
|
if [[ "$SSH_ORIGINAL_COMMAND" == "sudo $RSYNC_EXECUTABLE"* ]]; then
|
2013-08-24 20:12:25 +00:00
|
|
|
Go
|
2015-09-08 14:08:14 +00:00
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo du"* ]]; then
|
2013-08-24 20:12:25 +00:00
|
|
|
Go
|
2015-09-08 14:08:14 +00:00
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo find"* ]]; then
|
2013-08-24 20:12:25 +00:00
|
|
|
Go
|
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mkdir"* ]]
|
|
|
|
then
|
|
|
|
Go
|
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo rm"* ]]
|
|
|
|
then
|
|
|
|
Go
|
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo echo"* ]]
|
|
|
|
then
|
|
|
|
Go
|
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo df"* ]]
|
2015-07-02 14:38:29 +00:00
|
|
|
then
|
|
|
|
Go
|
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mv"* ]]
|
2013-08-24 20:12:25 +00:00
|
|
|
then
|
|
|
|
Go
|
2015-09-08 14:08:14 +00:00
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD1"* ]]; then
|
|
|
|
if [ "$CMD1" != "" ]; then
|
2013-08-24 20:12:25 +00:00
|
|
|
Go
|
2015-07-02 14:37:05 +00:00
|
|
|
fi
|
2015-09-08 14:08:14 +00:00
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD2"* ]]; then
|
|
|
|
if [ "$CMD2" != "" ]; then
|
2013-08-24 20:12:25 +00:00
|
|
|
Go
|
2015-07-02 14:37:05 +00:00
|
|
|
fi
|
2015-09-08 14:08:14 +00:00
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD3"* ]]; then
|
|
|
|
if [ "$CMD3" != "" ]; then
|
2013-08-24 20:12:25 +00:00
|
|
|
Go
|
2015-07-02 14:37:05 +00:00
|
|
|
fi
|
2013-08-24 20:12:25 +00:00
|
|
|
else
|
|
|
|
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
else
|
|
|
|
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed. sudo not enabled."
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
Log "Command [$SSH_ORIGINAL_COMMAND] not allowed."
|
|
|
|
exit 1
|
|
|
|
esac
|