fixing some minor weirdness

This commit is contained in:
brent s 2019-08-15 08:32:51 -04:00
parent 138d3f35bb
commit 5e11c6318c
2 changed files with 28 additions and 7 deletions

View File

@ -52,8 +52,9 @@ class UserAdder(object):

def addKey(self, ssh_key, *args, **kwargs):
key_template = ('command='
'"cd {homedir};'
'borg serve --restrict-to-path {homedir}",'
#'"cd {homedir};'
#'borg serve --restrict-to-path {homedir}",'
'"/usr/local/bin/borg-restricted.py ${SSH_ORIGINAL_COMMAND}"',
'no-port-forwarding,'
'no-X11-forwarding,'
'no-pty,'
@ -63,11 +64,23 @@ class UserAdder(object):
for u, kp in self.users.items():
userent = pwd.getpwnam(u)
homedir = userent.pw_dir
sshdir = os.path.join(homedir, '.ssh')
key_insert = key_template.format(user = u,
homedir = homedir,
keystr = ssh_key)
with open(kp, 'a') as f:
f.write(key_insert)
# When CentOS/RHEL move to python3 native, and port policycoreutils, do this natively.
# But for now...
subprocess.run(['chcon',
'-R unconfined_u:object_r:user_home_t:s0',
sshdir])
subprocess.run(['semanage',
'fcontext',
'-a',
'-t',
'ssh_home_t',
sshdir])
return()

def clean(self):

View File

@ -3,15 +3,23 @@
import os
import pwd
import subprocess
import sys


# You can optionally add logging, etc. to log attempts that fail to verify the command enforcement,
# client IPs, etc. via environment variables, etc.

cur_user = os.geteuid()
homedir = pwd.getpwuid(cur_user).pw_dir
os.chdir(homedir)

borg_bin = '/usr/bin/borg'
orig_cmd = sys.argv[1:]
if orig_cmd.pop(0) != 'borg':
raise PermissionError('That command is not allowed')
if orig_cmd.pop(0) != 'serve':
raise PermissionError('That command is not allowed')
new_cmd = ['borg', 'serve', '--restrict-to-path', homedir]
new_cmd.extend(orig_cmd)

os.chdir(homedir)
subprocess.run([borg_bin,
'serve',
'--restrict-to-path',
homedir])
subprocess.run(new_cmd)