Initial commit

bdrung · bdrung · commit e826d4c2900a · 2015-10-02T17:42:20.000+02:00
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,18 @@
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/Makefile b/Makefile
@@ -0,0 +1,33 @@
+PREFIX=/usr
+
+VERSION = 0.1
+DATE = 2015-10-02
+
+all:
+
+clean:
+	rm -rf restricted-ssh-commands.1 test
+
+test/restricted-ssh-commands: restricted-ssh-commands
+	mkdir -p test
+	sed 's@config_file="/etc@config_file="$${TEST_ROOT-}/etc@' $^ > $@
+	chmod +x $@
+
+check: test/restricted-ssh-commands
+	./test-restricted-ssh-commands
+
+%.1: %.pod
+	pod2man --center=" " --release="restricted-ssh-commands" -d "$(DATE)" $^ $@
+
+doc: restricted-ssh-commands.1
+
+install: doc
+	install -D -m 755 restricted-ssh-commands $(DESTDIR)$(PREFIX)/lib/restricted-ssh-commands
+	install -D -m 644 restricted-ssh-commands.1 $(DESTDIR)$(PREFIX)/share/man/man1/restricted-ssh-commands.1
+
+%.tar.xz: LICENSE Makefile restricted-ssh-commands restricted-ssh-commands.pod test-restricted-ssh-commands
+	tar -cJf $@ --transform 's,^,restricted-ssh-commands-$(VERSION)/,' $^
+
+dist: restricted-ssh-commands-$(VERSION).tar.xz
+
+.PHONY: all clean check doc dist install
diff --git a/restricted-ssh-commands b/restricted-ssh-commands
@@ -0,0 +1,81 @@
+#!/bin/bash
+set -eu
+
+# Copyright (C) 2015, Benjamin Drung <benjamin.drung@profitbricks.com>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+# Note: Matching the regular expressions requires bash
+
+config="${1-}"
+if test -z "$config"; then
+    if test -n "${USER-}"; then
+        config="$USER"
+    else
+        config=$(id -u -n)
+    fi
+fi
+
+set ${SSH_ORIGINAL_COMMAND-}
+
+config_file="/etc/restricted-ssh-commands/$config"
+if test ! -f "$config_file"; then
+    msg="No configuration in $config_file. All commands are denied."
+    echo "${0##*/}: $msg" >&2
+    logger -t ${0##*/} -- "$msg"
+    exit 125
+fi
+
+num_rules=0
+while IFS='' read -r line; do
+    # Skip empty lines and lines starting with hashes
+    if ! [[ "$line" =~ ^[[:space:]]*(#|$) ]]; then
+        if [[ "$@" =~ $line ]]; then
+            if test -n "${RSC_VERBOSE-}"; then
+                echo "${0##*/}: \"$@\" matches \"$line\"" >&2
+            fi
+            exec "$@"
+        else
+            ((num_rules+=1))
+            if test -n "${RSC_VERBOSE-}"; then
+                echo "${0##*/}: Regular expression does not match: \"$line\"" >&2
+            fi
+        fi
+    elif test -n "${RSC_VERBOSE-}"; then
+        echo "${0##*/}: Skipping commented/empty configuration line: \"$line\"" >&2
+    fi
+done < "$config_file"
+
+if test "$num_rules" -eq 0; then
+    msg="Empty configuration in $config_file. All commands are denied."
+    echo "${0##*/}: $msg" >&2
+    logger -t ${0##*/} -- "$msg"
+    exit 125
+else
+    if test "$num_rules" -eq 1; then
+        msg="the one allow rule"
+    else
+        msg="any of the $num_rules allow rules"
+    fi
+    msg="Rejecting command \"$@\". It does not match $msg in $config_file."
+    echo "${0##*/}: $msg" >&2
+    logger -t ${0##*/} -- "$msg"
+    exit 124
+fi
diff --git a/restricted-ssh-commands.pod b/restricted-ssh-commands.pod
@@ -0,0 +1,86 @@
+=encoding utf8
+
+=head1 NAME
+
+restricted-ssh-commands - Restrict SSH users to a predefined set of commands
+
+=head1 SYNOPSIS
+
+B</usr/lib/restricted-ssh-commands> [I<config>]
+
+=head1 DESCRIPTION
+
+restricted-ssh-commands is intended to be called by SSH to restrict a
+user to only run specific commands. A list of allowed regular
+expressions can be configured in F</etc/restricted-ssh-commands/>. The
+requested command has to match at least one regular expression.
+Otherwise it will be rejected.
+
+restricted-ssh-commands is useful to grant restricted access via SSH to
+do only certain task. For example, it could allow a user to upload a Debian
+packages via scp and run reprepro processincoming.
+
+The optional I<config> parameter is the name of the configuration inside
+F</etc/restricted-ssh-commands/> that should be used. If I<config> is omitted,
+the user name will be used.
+
+=head1 USAGE
+
+Create a configuration file in F</etc/restricted-ssh-commands/$config> and add
+following line to F<~/.ssh/authorized_keys> to use it
+
+    command="/usr/lib/restricted-ssh-commands",no-port-forwarding,\
+    no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...]
+
+=head1 EXIT STATUS
+
+B<restricted-ssh-commands> will exit with the exit status from the called
+command if the command is allowed and therefore executed. If the command
+is rejected, B<restricted-ssh-commands> will exit with one of the following
+exit codes.
+
+=over 8
+
+=item C<124>
+
+A configuration file was found and contains at least one regular expression, but
+the requested command does not match any of those regular expressions.
+
+=item C<125>
+
+The configuration file is missing or does not contain any regular expressions.
+Thus all commands are rejected.
+
+=back
+
+=head1 EXAMPLES
+
+Imagine you have a Debian package repository on a host using reprepro and
+you want to allow package upload to it. Assuming the user is reprepro and the
+package configuration is stored in F</srv/reprepro>, you would create the
+configuration file F</etc/restricted-ssh-commands/reprepro> containing these
+three regular expressions:
+
+    ^scp -p( -d)? -t( --)? /srv/reprepro/incoming(/[^ /]*)?$
+    ^chmod 0644 /srv/reprepro/incoming/[^ /]*$
+    ^reprepro ( -V)? -b /srv/reprepro processincoming foobar$
+
+=head1 FILES
+
+The configuration files are placed in F</etc/restricted-ssh-commands/>. Each
+line in the configuration file represents one extended regular expression.
+Lines starting with # are considered as comments and are ignored. Empty lines
+(containing only whitespaces) are ignored, too.
+
+=head1 SEE ALSO
+
+Regular expressions on
+http://tldp.org/LDP/Bash-Beginners-Guide/html/sect_04_01.html
+
+Section 9.4 Extended Regular Expressions (ERE) on
+http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html
+
+=head1 AUTHOR
+
+B<restricted-ssh-commands> and this manpage have been written by Benjamin Drung
+<benjamin.drung@profitbricks.com>.
diff --git a/test-restricted-ssh-commands b/test-restricted-ssh-commands
@@ -0,0 +1,101 @@
+#!/bin/sh
+
+# Copyright (C) 2015, Benjamin Drung <benjamin.drung@profitbricks.com>
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+COMMAND="${0%/*}/test/restricted-ssh-commands"
+
+runCommand() {
+    local ssh_param="$1"
+    local param="$2"
+    local exp_stdout="$3"
+    local exp_stderr="$4"
+    local exp_retval=$5
+    local stdoutF="${SHUNIT_TMPDIR}/stdout"
+    local stderrF="${SHUNIT_TMPDIR}/stderr"
+    eval TEST_ROOT=${SHUNIT_TMPDIR} SSH_ORIGINAL_COMMAND="${ssh_param}" "${COMMAND} $param" > ${stdoutF} 2> ${stderrF}
+    retval=$?
+    assertEquals "standard output of ${COMMAND} $param\n" "$exp_stdout" "$(cat ${stdoutF})"
+    assertEquals "error output of ${COMMAND} $param\n" "$exp_stderr" "$(cat ${stderrF})"
+    assertEquals "return value of ${COMMAND} $param\n" $exp_retval $retval
+}
+
+add_rule() {
+    local config_name="$1"
+    local config_content="$2"
+    mkdir -p "${SHUNIT_TMPDIR}/etc/restricted-ssh-commands"
+    printf "%s\n" "$config_content" >> "${SHUNIT_TMPDIR}/etc/restricted-ssh-commands/${config_name}"
+}
+
+success() {
+    runCommand "$1" "$2" "$3" "" ${4-0}
+}
+
+failure() {
+    runCommand "$1" "$2" "" "$3" ${4-124}
+}
+
+tearDown() {
+    rm -rf ${SHUNIT_TMPDIR}/etc
+}
+
+test_missing_config() {
+    failure "true" "foo" "restricted-ssh-commands: No configuration in ${SHUNIT_TMPDIR}/etc/restricted-ssh-commands/foo. All commands are denied." 125
+}
+
+test_empty_config() {
+    add_rule "foo" ""
+    failure "true" "foo" "restricted-ssh-commands: Empty configuration in ${SHUNIT_TMPDIR}/etc/restricted-ssh-commands/foo. All commands are denied." 125
+}
+
+test_single_rule_config() {
+    add_rule "$(id -un)" "^echo"
+    failure "true" "" "restricted-ssh-commands: Rejecting command \"true\". It does not match the one allow rule in ${SHUNIT_TMPDIR}/etc/restricted-ssh-commands/$(id -un)."
+}
+
+test_two_rules_config() {
+    add_rule "bar" "^echo"
+    add_rule "bar" "^false"
+    failure "true" "bar" "restricted-ssh-commands: Rejecting command \"true\". It does not match any of the 2 allow rules in ${SHUNIT_TMPDIR}/etc/restricted-ssh-commands/bar."
+}
+
+test_matching_rule() {
+    add_rule "foo" '^true$'
+    success "true" "foo" ""
+}
+
+test_user_config() {
+    add_rule "$(id -un)" '^true$'
+    success "true" "" ""
+}
+
+test_custom_config() {
+    add_rule "foobar" '^true$'
+    success "true" "foobar" ""
+}
+
+test_failing_command() {
+    add_rule "bla" '^true$'
+    add_rule "bla" '^false$'
+    failure "false" "bla" "" 1
+}
+
+. shunit2
