|
@ -28,6 +28,7 @@ if [ -z "$1" ] || ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]]; then |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
ident="$1" |
|
|
ident="$1" |
|
|
|
|
|
log "IDENTIFIED AS $ident" |
|
|
|
|
|
|
|
|
reject() { |
|
|
reject() { |
|
|
log "REJECTED: $SSH_ORIGINAL_COMMAND" |
|
|
log "REJECTED: $SSH_ORIGINAL_COMMAND" |
|
@ -43,20 +44,40 @@ if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then |
|
|
reject |
|
|
reject |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|
if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"$ ]]; then |
|
|
|
|
|
log "ACCEPTED: $SSH_ORIGINAL_COMMAND" |
|
|
|
|
|
|
|
|
if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vnloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"$ ]]; then |
|
|
|
|
|
log "ACCEPTED BACKUP COMMAND: $SSH_ORIGINAL_COMMAND" |
|
|
|
|
|
|
|
|
## Interpret \ to allow passing spaces (want to avoid possible issue with \n) |
|
|
## Interpret \ to allow passing spaces (want to avoid possible issue with \n) |
|
|
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" |
|
|
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" |
|
|
ssh_args=(${SSH_ORIGINAL_COMMAND}) |
|
|
ssh_args=(${SSH_ORIGINAL_COMMAND}) |
|
|
|
|
|
|
|
|
# echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2 |
|
|
|
|
|
exec sudo "${ssh_args[@]::3}" \ |
|
|
exec sudo "${ssh_args[@]::3}" \ |
|
|
"--log-file=/var/log/rsync/target_$1_rsync.log" \ |
|
|
"--log-file=/var/log/rsync/target_$1_rsync.log" \ |
|
|
"--log-file-format=%i %o %f %l %b" \ |
|
|
"--log-file-format=%i %o %f %l %b" \ |
|
|
"${ssh_args[@]:3}" |
|
|
"${ssh_args[@]:3}" |
|
|
|
|
|
elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server --sender -"[vnloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"(|/.*)$ ]]; then |
|
|
|
|
|
|
|
|
|
|
|
## Interpret \ to allow passing spaces (want to avoid possible issue with \n) |
|
|
|
|
|
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" |
|
|
|
|
|
ssh_args=(${SSH_ORIGINAL_COMMAND}) |
|
|
|
|
|
|
|
|
|
|
|
last_arg="${ssh_args[@]: -1:1}" |
|
|
|
|
|
if ! new_path=$(realpath "$last_arg" 2>/dev/null); then |
|
|
|
|
|
log "FINAL PATH INVALID" |
|
|
|
|
|
reject |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
if [[ "$new_path" != "$last_arg" ]] && |
|
|
|
|
|
[[ "$new_path" != "/var/mirror/$ident/"* ]] && |
|
|
|
|
|
[[ "$new_path" != "/var/mirror/$ident" ]]; then |
|
|
|
|
|
log "FINAL PATH SUSPICIOUS" |
|
|
|
|
|
reject |
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
log "ACCEPTED RECOVER COMMAND: $SSH_ORIGINAL_COMMAND" |
|
|
|
|
|
exec sudo "${ssh_args[@]}" |
|
|
else |
|
|
else |
|
|
log "NO MATCH ACCEPTED COMMAND" |
|
|
|
|
|
|
|
|
log "REFUSED COMMAND AS IT DOESN'T MATCH ANY EXPECTED COMMAND" |
|
|
reject |
|
|
reject |
|
|
fi |
|
|
fi |
|
|
|
|
|
|
|
|