fixing some minor weirdness

This commit is contained in:
brent s 2019-08-15 08:32:51 -04:00
parent 138d3f35bb
commit 5e11c6318c
2 changed files with 28 additions and 7 deletions

View File

@ -52,8 +52,9 @@ class UserAdder(object):


def addKey(self, ssh_key, *args, **kwargs): def addKey(self, ssh_key, *args, **kwargs):
key_template = ('command=' key_template = ('command='
'"cd {homedir};' #'"cd {homedir};'
'borg serve --restrict-to-path {homedir}",' #'borg serve --restrict-to-path {homedir}",'
'"/usr/local/bin/borg-restricted.py ${SSH_ORIGINAL_COMMAND}"',
'no-port-forwarding,' 'no-port-forwarding,'
'no-X11-forwarding,' 'no-X11-forwarding,'
'no-pty,' 'no-pty,'
@ -63,11 +64,23 @@ class UserAdder(object):
for u, kp in self.users.items(): for u, kp in self.users.items():
userent = pwd.getpwnam(u) userent = pwd.getpwnam(u)
homedir = userent.pw_dir homedir = userent.pw_dir
sshdir = os.path.join(homedir, '.ssh')
key_insert = key_template.format(user = u, key_insert = key_template.format(user = u,
homedir = homedir, homedir = homedir,
keystr = ssh_key) keystr = ssh_key)
with open(kp, 'a') as f: with open(kp, 'a') as f:
f.write(key_insert) f.write(key_insert)
# When CentOS/RHEL move to python3 native, and port policycoreutils, do this natively.
# But for now...
subprocess.run(['chcon',
'-R unconfined_u:object_r:user_home_t:s0',
sshdir])
subprocess.run(['semanage',
'fcontext',
'-a',
'-t',
'ssh_home_t',
sshdir])
return() return()


def clean(self): def clean(self):

View File

@ -3,15 +3,23 @@
import os import os
import pwd import pwd
import subprocess import subprocess
import sys




# You can optionally add logging, etc. to log attempts that fail to verify the command enforcement,
# client IPs, etc. via environment variables, etc.

cur_user = os.geteuid() cur_user = os.geteuid()
homedir = pwd.getpwuid(cur_user).pw_dir homedir = pwd.getpwuid(cur_user).pw_dir
os.chdir(homedir)


borg_bin = '/usr/bin/borg' orig_cmd = sys.argv[1:]
if orig_cmd.pop(0) != 'borg':
raise PermissionError('That command is not allowed')
if orig_cmd.pop(0) != 'serve':
raise PermissionError('That command is not allowed')
new_cmd = ['borg', 'serve', '--restrict-to-path', homedir]
new_cmd.extend(orig_cmd)


os.chdir(homedir) os.chdir(homedir)
subprocess.run([borg_bin, subprocess.run(new_cmd)
'serve',
'--restrict-to-path',
homedir])