Browse Source

new: [rsync-backup-target] accept restore commands

Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
upd-docker
Valentin Lab 4 years ago
parent
commit
65dbe2766a
  1. 29
      rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate

29
rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate

@ -28,6 +28,7 @@ if [ -z "$1" ] || ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]]; then
fi fi
ident="$1" ident="$1"
log "IDENTIFIED AS $ident"
reject() { reject() {
log "REJECTED: $SSH_ORIGINAL_COMMAND" log "REJECTED: $SSH_ORIGINAL_COMMAND"
@ -43,20 +44,40 @@ if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then
reject reject
fi fi
if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"$ ]]; then
log "ACCEPTED: $SSH_ORIGINAL_COMMAND"
if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vnloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"$ ]]; then
log "ACCEPTED BACKUP COMMAND: $SSH_ORIGINAL_COMMAND"
## Interpret \ to allow passing spaces (want to avoid possible issue with \n) ## Interpret \ to allow passing spaces (want to avoid possible issue with \n)
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" #read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}"
ssh_args=(${SSH_ORIGINAL_COMMAND}) ssh_args=(${SSH_ORIGINAL_COMMAND})
# echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2
exec sudo "${ssh_args[@]::3}" \ exec sudo "${ssh_args[@]::3}" \
"--log-file=/var/log/rsync/target_$1_rsync.log" \ "--log-file=/var/log/rsync/target_$1_rsync.log" \
"--log-file-format=%i %o %f %l %b" \ "--log-file-format=%i %o %f %l %b" \
"${ssh_args[@]:3}" "${ssh_args[@]:3}"
elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server --sender -"[vnloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"(|/.*)$ ]]; then
## Interpret \ to allow passing spaces (want to avoid possible issue with \n)
#read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}"
ssh_args=(${SSH_ORIGINAL_COMMAND})
last_arg="${ssh_args[@]: -1:1}"
if ! new_path=$(realpath "$last_arg" 2>/dev/null); then
log "FINAL PATH INVALID"
reject
fi
if [[ "$new_path" != "$last_arg" ]] &&
[[ "$new_path" != "/var/mirror/$ident/"* ]] &&
[[ "$new_path" != "/var/mirror/$ident" ]]; then
log "FINAL PATH SUSPICIOUS"
reject
fi
log "ACCEPTED RECOVER COMMAND: $SSH_ORIGINAL_COMMAND"
exec sudo "${ssh_args[@]}"
else else
log "NO MATCH ACCEPTED COMMAND"
log "REFUSED COMMAND AS IT DOESN'T MATCH ANY EXPECTED COMMAND"
reject reject
fi fi

Loading…
Cancel
Save