From 65dbe2766a5a2256f9adf96b67930e404d4ad28f Mon Sep 17 00:00:00 2001 From: Valentin Lab Date: Mon, 3 May 2021 18:09:35 +0200 Subject: [PATCH] new: [rsync-backup-target] accept restore commands Signed-off-by: Valentin Lab --- .../build/src/usr/local/sbin/ssh-cmd-validate | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate b/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate index 415f8b56..7c3dc865 100755 --- a/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate +++ b/rsync-backup-target/build/src/usr/local/sbin/ssh-cmd-validate @@ -28,6 +28,7 @@ if [ -z "$1" ] || ! [[ "$1" =~ ^[a-zA-Z0-9._-]+$ ]]; then fi ident="$1" +log "IDENTIFIED AS $ident" reject() { log "REJECTED: $SSH_ORIGINAL_COMMAND" @@ -43,20 +44,40 @@ if [[ "$SSH_ORIGINAL_COMMAND" =~ [\&\(\{\;\<\>\`\$\}] ]]; then reject fi -if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"$ ]]; then - log "ACCEPTED: $SSH_ORIGINAL_COMMAND" +if [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server -"[vnloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"$ ]]; then + log "ACCEPTED BACKUP COMMAND: $SSH_ORIGINAL_COMMAND" ## Interpret \ to allow passing spaces (want to avoid possible issue with \n) #read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" ssh_args=(${SSH_ORIGINAL_COMMAND}) - # echo "Would accept: $SSH_ORIGINAL_COMMAND" >&2 exec sudo "${ssh_args[@]::3}" \ "--log-file=/var/log/rsync/target_$1_rsync.log" \ "--log-file-format=%i %o %f %l %b" \ "${ssh_args[@]:3}" +elif [[ "$SSH_ORIGINAL_COMMAND" =~ ^"rsync --server --sender -"[vnloHgDtpArRzCeiLsfx\.]+(" --"[a-z=%-]+|" --partial-dir .rsync-partial")*" . /var/mirror/$ident"(|/.*)$ ]]; then + + ## Interpret \ to allow passing spaces (want to avoid possible issue with \n) + #read -a ssh_args <<< "${SSH_ORIGINAL_COMMAND}" + ssh_args=(${SSH_ORIGINAL_COMMAND}) + + last_arg="${ssh_args[@]: -1:1}" + if ! new_path=$(realpath "$last_arg" 2>/dev/null); then + log "FINAL PATH INVALID" + reject + fi + + if [[ "$new_path" != "$last_arg" ]] && + [[ "$new_path" != "/var/mirror/$ident/"* ]] && + [[ "$new_path" != "/var/mirror/$ident" ]]; then + log "FINAL PATH SUSPICIOUS" + reject + fi + + log "ACCEPTED RECOVER COMMAND: $SSH_ORIGINAL_COMMAND" + exec sudo "${ssh_args[@]}" else - log "NO MATCH ACCEPTED COMMAND" + log "REFUSED COMMAND AS IT DOESN'T MATCH ANY EXPECTED COMMAND" reject fi