fixing some minor weirdness
This commit is contained in:
parent
138d3f35bb
commit
5e11c6318c
@ -52,8 +52,9 @@ class UserAdder(object):
|
||||
|
||||
def addKey(self, ssh_key, *args, **kwargs):
|
||||
key_template = ('command='
|
||||
'"cd {homedir};'
|
||||
'borg serve --restrict-to-path {homedir}",'
|
||||
#'"cd {homedir};'
|
||||
#'borg serve --restrict-to-path {homedir}",'
|
||||
'"/usr/local/bin/borg-restricted.py ${SSH_ORIGINAL_COMMAND}"',
|
||||
'no-port-forwarding,'
|
||||
'no-X11-forwarding,'
|
||||
'no-pty,'
|
||||
@ -63,11 +64,23 @@ class UserAdder(object):
|
||||
for u, kp in self.users.items():
|
||||
userent = pwd.getpwnam(u)
|
||||
homedir = userent.pw_dir
|
||||
sshdir = os.path.join(homedir, '.ssh')
|
||||
key_insert = key_template.format(user = u,
|
||||
homedir = homedir,
|
||||
keystr = ssh_key)
|
||||
with open(kp, 'a') as f:
|
||||
f.write(key_insert)
|
||||
# When CentOS/RHEL move to python3 native, and port policycoreutils, do this natively.
|
||||
# But for now...
|
||||
subprocess.run(['chcon',
|
||||
'-R unconfined_u:object_r:user_home_t:s0',
|
||||
sshdir])
|
||||
subprocess.run(['semanage',
|
||||
'fcontext',
|
||||
'-a',
|
||||
'-t',
|
||||
'ssh_home_t',
|
||||
sshdir])
|
||||
return()
|
||||
|
||||
def clean(self):
|
||||
|
@ -3,15 +3,23 @@
|
||||
import os
|
||||
import pwd
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
|
||||
# You can optionally add logging, etc. to log attempts that fail to verify the command enforcement,
|
||||
# client IPs, etc. via environment variables, etc.
|
||||
|
||||
cur_user = os.geteuid()
|
||||
homedir = pwd.getpwuid(cur_user).pw_dir
|
||||
os.chdir(homedir)
|
||||
|
||||
borg_bin = '/usr/bin/borg'
|
||||
orig_cmd = sys.argv[1:]
|
||||
if orig_cmd.pop(0) != 'borg':
|
||||
raise PermissionError('That command is not allowed')
|
||||
if orig_cmd.pop(0) != 'serve':
|
||||
raise PermissionError('That command is not allowed')
|
||||
new_cmd = ['borg', 'serve', '--restrict-to-path', homedir]
|
||||
new_cmd.extend(orig_cmd)
|
||||
|
||||
os.chdir(homedir)
|
||||
subprocess.run([borg_bin,
|
||||
'serve',
|
||||
'--restrict-to-path',
|
||||
homedir])
|
||||
subprocess.run(new_cmd)
|
||||
|
Loading…
Reference in New Issue
Block a user