forked from public-mirrors/BorgExtend
		
	fixing some minor weirdness
This commit is contained in:
		
							parent
							
								
									138d3f35bb
								
							
						
					
					
						commit
						5e11c6318c
					
				
					 2 changed files with 28 additions and 7 deletions
				
			
		|  | @ -52,8 +52,9 @@ class UserAdder(object): | ||||||
| 
 | 
 | ||||||
|     def addKey(self, ssh_key, *args, **kwargs): |     def addKey(self, ssh_key, *args, **kwargs): | ||||||
|         key_template = ('command=' |         key_template = ('command=' | ||||||
|                             '"cd {homedir};' |                             #'"cd {homedir};' | ||||||
|                             'borg serve --restrict-to-path {homedir}",' |                             #'borg serve --restrict-to-path {homedir}",' | ||||||
|  |                             '"/usr/local/bin/borg-restricted.py ${SSH_ORIGINAL_COMMAND}"', | ||||||
|                         'no-port-forwarding,' |                         'no-port-forwarding,' | ||||||
|                         'no-X11-forwarding,' |                         'no-X11-forwarding,' | ||||||
|                         'no-pty,' |                         'no-pty,' | ||||||
|  | @ -63,11 +64,23 @@ class UserAdder(object): | ||||||
|         for u, kp in self.users.items(): |         for u, kp in self.users.items(): | ||||||
|             userent = pwd.getpwnam(u) |             userent = pwd.getpwnam(u) | ||||||
|             homedir = userent.pw_dir |             homedir = userent.pw_dir | ||||||
|  |             sshdir = os.path.join(homedir, '.ssh') | ||||||
|             key_insert = key_template.format(user = u, |             key_insert = key_template.format(user = u, | ||||||
|                                              homedir = homedir, |                                              homedir = homedir, | ||||||
|                                              keystr = ssh_key) |                                              keystr = ssh_key) | ||||||
|             with open(kp, 'a') as f: |             with open(kp, 'a') as f: | ||||||
|                 f.write(key_insert) |                 f.write(key_insert) | ||||||
|  |             # When CentOS/RHEL move to python3 native, and port policycoreutils, do this natively. | ||||||
|  |             # But for now... | ||||||
|  |             subprocess.run(['chcon', | ||||||
|  |                             '-R unconfined_u:object_r:user_home_t:s0', | ||||||
|  |                             sshdir]) | ||||||
|  |             subprocess.run(['semanage', | ||||||
|  |                             'fcontext', | ||||||
|  |                             '-a', | ||||||
|  |                                 '-t', | ||||||
|  |                                     'ssh_home_t', | ||||||
|  |                             sshdir]) | ||||||
|         return() |         return() | ||||||
| 
 | 
 | ||||||
|     def clean(self): |     def clean(self): | ||||||
|  |  | ||||||
|  | @ -3,15 +3,23 @@ | ||||||
| import os | import os | ||||||
| import pwd | import pwd | ||||||
| import subprocess | import subprocess | ||||||
|  | import sys | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | # You can optionally add logging, etc. to log attempts that fail to verify the command enforcement, | ||||||
|  | # client IPs, etc. via environment variables, etc. | ||||||
|  | 
 | ||||||
| cur_user = os.geteuid() | cur_user = os.geteuid() | ||||||
| homedir = pwd.getpwuid(cur_user).pw_dir | homedir = pwd.getpwuid(cur_user).pw_dir | ||||||
|  | os.chdir(homedir) | ||||||
| 
 | 
 | ||||||
| borg_bin = '/usr/bin/borg' | orig_cmd = sys.argv[1:] | ||||||
|  | if orig_cmd.pop(0) != 'borg': | ||||||
|  |     raise PermissionError('That command is not allowed') | ||||||
|  | if orig_cmd.pop(0) != 'serve': | ||||||
|  |     raise PermissionError('That command is not allowed') | ||||||
|  | new_cmd = ['borg', 'serve', '--restrict-to-path', homedir] | ||||||
|  | new_cmd.extend(orig_cmd) | ||||||
| 
 | 
 | ||||||
| os.chdir(homedir) | os.chdir(homedir) | ||||||
| subprocess.run([borg_bin, | subprocess.run(new_cmd) | ||||||
|                 'serve', |  | ||||||
|                 '--restrict-to-path', |  | ||||||
|                 homedir]) |  | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue