fixing some minor weirdness
This commit is contained in:
brent s
parent
138d3f35bb
commit
5e11c6318c
@ -52,8 +52,9 @@ class UserAdder(object):
|
|||||||
|
|
||||||
def addKey(self, ssh_key, *args, **kwargs):
|
def addKey(self, ssh_key, *args, **kwargs):
|
||||||
key_template = ('command='
|
key_template = ('command='
|
||||||
'"cd {homedir};'
|
#'"cd {homedir};'
|
||||||
'borg serve --restrict-to-path {homedir}",'
|
#'borg serve --restrict-to-path {homedir}",'
|
||||||
|
'"/usr/local/bin/borg-restricted.py ${SSH_ORIGINAL_COMMAND}"',
|
||||||
'no-port-forwarding,'
|
'no-port-forwarding,'
|
||||||
'no-X11-forwarding,'
|
'no-X11-forwarding,'
|
||||||
'no-pty,'
|
'no-pty,'
|
||||||
@ -63,11 +64,23 @@ class UserAdder(object):
|
|||||||
for u, kp in self.users.items():
|
for u, kp in self.users.items():
|
||||||
userent = pwd.getpwnam(u)
|
userent = pwd.getpwnam(u)
|
||||||
homedir = userent.pw_dir
|
homedir = userent.pw_dir
|
||||||
|
sshdir = os.path.join(homedir, '.ssh')
|
||||||
key_insert = key_template.format(user = u,
|
key_insert = key_template.format(user = u,
|
||||||
homedir = homedir,
|
homedir = homedir,
|
||||||
keystr = ssh_key)
|
keystr = ssh_key)
|
||||||
with open(kp, 'a') as f:
|
with open(kp, 'a') as f:
|
||||||
f.write(key_insert)
|
f.write(key_insert)
|
||||||
|
# When CentOS/RHEL move to python3 native, and port policycoreutils, do this natively.
|
||||||
|
# But for now...
|
||||||
|
subprocess.run(['chcon',
|
||||||
|
'-R unconfined_u:object_r:user_home_t:s0',
|
||||||
|
sshdir])
|
||||||
|
subprocess.run(['semanage',
|
||||||
|
'fcontext',
|
||||||
|
'-a',
|
||||||
|
'-t',
|
||||||
|
'ssh_home_t',
|
||||||
|
sshdir])
|
||||||
return()
|
return()
|
||||||
|
|
||||||
def clean(self):
|
def clean(self):
|
||||||
|
|||||||
@ -3,15 +3,23 @@
|
|||||||
import os
|
import os
|
||||||
import pwd
|
import pwd
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
# You can optionally add logging, etc. to log attempts that fail to verify the command enforcement,
|
||||||
|
# client IPs, etc. via environment variables, etc.
|
||||||
|
|
||||||
cur_user = os.geteuid()
|
cur_user = os.geteuid()
|
||||||
homedir = pwd.getpwuid(cur_user).pw_dir
|
homedir = pwd.getpwuid(cur_user).pw_dir
|
||||||
|
os.chdir(homedir)
|
||||||
|
|
||||||
borg_bin = '/usr/bin/borg'
|
orig_cmd = sys.argv[1:]
|
||||||
|
if orig_cmd.pop(0) != 'borg':
|
||||||
|
raise PermissionError('That command is not allowed')
|
||||||
|
if orig_cmd.pop(0) != 'serve':
|
||||||
|
raise PermissionError('That command is not allowed')
|
||||||
|
new_cmd = ['borg', 'serve', '--restrict-to-path', homedir]
|
||||||
|
new_cmd.extend(orig_cmd)
|
||||||
|
|
||||||
os.chdir(homedir)
|
os.chdir(homedir)
|
||||||
subprocess.run([borg_bin,
|
subprocess.run(new_cmd)
|
||||||
'serve',
|
|
||||||
'--restrict-to-path',
|
|
||||||
homedir])
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user