| 1 | #!/usr/bin/perl |
| 2 | # Name: /usr/local/bin/rrsync Author: Joe Smith <js-cgi@inwap.com> 30-Sep-2004 |
| 3 | # Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys |
| 4 | # (should have a symlink in /usr/bin) |
| 5 | |
| 6 | use Socket; |
| 7 | use constant LOGFILE => 'rrsync.log'; |
| 8 | my $Usage = <<EOM; |
| 9 | Use 'command="$0 [-ro] subdir"' |
| 10 | in front of lines in $ENV{HOME}/.ssh/authorized_keys |
| 11 | EOM |
| 12 | |
| 13 | my $ro = (@ARGV and $ARGV[0] eq '-ro') ? shift : ''; # -ro = Read-Only |
| 14 | my $subdir = shift; |
| 15 | die "No subdirectory specified\n$Usage" unless defined $subdir; |
| 16 | |
| 17 | # The client uses "rsync -av -e ssh src/ server:dir/", and sshd on the server |
| 18 | # executes this program when .ssh/authorized_keys has 'command="..."'. |
| 19 | # For example: |
| 20 | # command="rrsync logs/client" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzGhEeNlPr... |
| 21 | # command="rrsync -ro results" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmkHG1WCjC... |
| 22 | # |
| 23 | # Format of the envrionment variables set by sshd: |
| 24 | # SSH_ORIGINAL_COMMAND=rsync --server -vlogDtpr --partial . dir # push |
| 25 | # SSH_ORIGINAL_COMMAND=rsync --server --sender -vlogDtpr --partial . dir # pull |
| 26 | # SSH_CLIENT=client_addr client_port server_port |
| 27 | |
| 28 | my $command = $ENV{SSH_ORIGINAL_COMMAND}; |
| 29 | die "Not invoked via sshd\n$Usage" unless defined $command; |
| 30 | |
| 31 | my ($cmd,$dir) = $command =~ /(.* \.) ?(.*)/; |
| 32 | die "SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $cmd =~ /^rsync\s/; |
| 33 | die "$0 -ro: sending to read-only directory $dir not allowed\n" |
| 34 | if $ro and $cmd !~ /^rsync --server --sender /; |
| 35 | |
| 36 | my $orig = $dir; |
| 37 | $dir = $subdir if $dir eq ''; # Use subdir instead of $HOME |
| 38 | $dir =~ s%^/%%; # Don't allow absolute paths |
| 39 | $dir = "$subdir/$dir" unless $dir eq $subdir or $dir =~ m%^\Q$subdir/%; |
| 40 | $dir =~ s%/\.\.(?=/)%__%g; # Don't allow foo/../../etc |
| 41 | $dir =~ tr|-_/a-zA-Z0-9.,|_|c; # Don't allow ;|][}{*? |
| 42 | |
| 43 | if (-f LOGFILE and open LOG,'>>',LOGFILE) { |
| 44 | my ($mm,$hh) = (localtime)[1,2]; |
| 45 | my $host = $ENV{SSH_CLIENT} || 'unknown'; |
| 46 | $host =~ s/ .*//; # Keep only the client's IP addr |
| 47 | $host = gethostbyaddr(inet_aton($host),AF_INET) || $host; |
| 48 | $_ = sprintf "%-13s",$host; |
| 49 | print LOG "$hh:$mm $_ [$command] =",($dir eq $orig ? " OK" : "> $dir"),"\n"; |
| 50 | close LOG; |
| 51 | } |
| 52 | |
| 53 | exec "$cmd $dir" or die "exec($cmd $dir) failed: $? $!"; |
| 54 | # Note: This assumes that the rsync protocol will not be maliciously hijacked. |