From 228fca1254ad18965cd64ce4879bd1aae211818a Mon Sep 17 00:00:00 2001 From: deajan Date: Wed, 8 Feb 2017 13:52:55 +0100 Subject: [PATCH] Recoded ssh_filter to work really nicer --- ssh_filter.sh | 106 +++++++++++++++----------------------------------- 1 file changed, 31 insertions(+), 75 deletions(-) diff --git a/ssh_filter.sh b/ssh_filter.sh index 089790e..0297479 100755 --- a/ssh_filter.sh +++ b/ssh_filter.sh @@ -5,102 +5,58 @@ ##### It will filter the commands that can be run remotely via ssh. ##### Please chmod 755 and chown root:root this file -##### Obackup needed commands: rsync find du mysql mysqldump (sudo) -##### Osync needed commands: rsync find du echo mkdir rm if df (sudo) -SCRIPT_BUILD=2016031401 +##### Any command that has env _REMOTE_TOKEN= with the corresponding token in it will be run +##### Also, commands that begin with rsync --server --sender are allowed +##### Any other command will return "syntax error" +##### For details, see ssh_filter.log -## If enabled, execution of "sudo" command will be allowed. +SCRIPT_BUILD=2017020801 + +## Allow sudo SUDO_EXEC=yes + ## Paranoia option. Don't change this unless you read the documentation and still feel concerned about security issues. RSYNC_EXECUTABLE=rsync -## Enable other commands, useful for remote execution hooks like remotely creating snapshots. -CMD1="" -CMD2="" -CMD3="" -LOG_FILE=~/.ssh/ssh_filter.log +## Set remote token in authorized_keys +if [ "$1" != "" ]; then + _REMOTE_TOKEN="${1}" +fi + +LOG_FILE="${HOME}/.ssh/ssh_filter.log" function Log { DATE=$(date) - echo "$DATE - $1" >> $LOG_FILE + echo "$DATE - $1" >> "$LOG_FILE" } function Go { eval "$SSH_ORIGINAL_COMMAND" } -case ${SSH_ORIGINAL_COMMAND%% *} in - "$RSYNC_EXECUTABLE") - Go ;; - "echo") - Go ;; - "find") - Go ;; - "du") - Go ;; - "mkdir") - Go ;; - "rm") - Go ;; - "df") - Go ;; - "mv") - Go ;; - "$CMD1") - if [ "$CMD1" != "" ]; then - Go - fi +case "${SSH_ORIGINAL_COMMAND}" in + "$RSYNC_EXECUTABLE --server"*) + Go ;; - "$CMD2") - if [ "$CMD2" != "" ]; then - Go - fi - ;; - "$CMD3") - if [ "$CMD3" != "" ]; then + "sudo $RSYNC_EXECUTABLE --server"*) + if [ "$SUDO_EXEC" != "yes" ]; then + Log "Command [$SSH_ORIGINAL_COMMAND] contains sudo which is not allowed." + echo "Syntax error unexpected end of file" + exit 1 + fi Go - fi ;; - "sudo") - if [ "$SUDO_EXEC" == "yes" ]; then - if [[ "$SSH_ORIGINAL_COMMAND" == "sudo $RSYNC_EXECUTABLE"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo du"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo find"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mkdir"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo rm"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo echo"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo df"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo mv"* ]]; then - Go - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD1"* ]]; then - if [ "$CMD1" != "" ]; then - Go - fi - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD2"* ]]; then - if [ "$CMD2" != "" ]; then - Go - fi - elif [[ "$SSH_ORIGINAL_COMMAND" == "sudo $CMD3"* ]]; then - if [ "$CMD3" != "" ]; then - Go - fi - else - Log "Command [$SSH_ORIGINAL_COMMAND] not allowed." + *"env _REMOTE_TOKEN=$_REMOTE_TOKEN"*) + if [ "$SUDO_EXEC" != "yes" ] && [[ $SSH_ORIGINAL_COMMAND == *"sudo "* ]]; then + Log "Command [$SSH_ORIGINAL_COMMAND] contains sudo which is not allowed." + echo "Syntax error unexpected end of file" exit 1 fi - else - Log "Command [$SSH_ORIGINAL_COMMAND] not allowed. sudo not enabled." - exit 1 - fi + Go ;; *) Log "Command [$SSH_ORIGINAL_COMMAND] not allowed." + echo "Syntax error near unexpected token" exit 1 + ;; esac