#!/usr/bin/perl
# Name: /usr/local/bin/rrsync (should also have a symlink in /usr/bin)
# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys
# Author: Joe Smith <js-cgi@inwap.com> 30-Sep-2004
# Modified by Wayne Davison <wayned@samba.org> 12-Jan-2005

use Socket;
use constant LOGFILE => 'rrsync.log';
my $Usage = <<EOM;
Use 'command="$0 [-ro] SUBDIR"'
	in front of lines in $ENV{HOME}/.ssh/authorized_keys
EOM

my $ro = (@ARGV and $ARGV[0] eq '-ro') ? shift : '';	# -ro = Read-Only
my $subdir = shift;
die "No subdirectory specified\n$Usage" unless defined $subdir;

# The client uses "rsync -av -e ssh src/ server:dir/", and sshd on the server
# executes this program when .ssh/authorized_keys has 'command="..."'.
# For example:
# command="rrsync logs/client" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzGhEeNlPr...
# command="rrsync -ro results" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmkHG1WCjC...
#
# Format of the envrionment variables set by sshd:
# SSH_ORIGINAL_COMMAND=rsync --server          -vlogDtpr --partial . dir # push
# SSH_ORIGINAL_COMMAND=rsync --server --sender -vlogDtpr --partial . dir # pull
# SSH_CONNECTION=client_addr client_port server_port

my $command = $ENV{SSH_ORIGINAL_COMMAND};
die "Not invoked via sshd\n$Usage"	unless defined $command;
die "SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $command =~ /^rsync\s/;
die "$0 -ro: sending to read-only server not allowed\n"
	if $ro and $command !~ /^rsync --server --sender /;
die "$0 -ro: use of $1 with read-only server not allowed\n"
	if $ro and $command =~ /\s(--remove-\S+)/;

my ($cmd,$dir) = $command =~ /^(rsync\s+(?:-[-a-zA-Z]+\s+)+\.) ?("[^"]*"|[^\s"]*)$/;
die "$0: invalid rsync-command syntax or options\n" if !defined $cmd;

# Enforce default of $subdir instead of the normal $HOME default.
my $orig = $dir;
my @dirs;
$dir =~ s/^"(.*?)"$/$1/;
$dir =~ s/^\s+//;
$dir =~ s/\s+$//;
foreach (split(/(?<!\\)\s+/, $dir)) {
  s/\\(\s)/$1/g;			# Unescape any escaped whitespace
  if ($subdir eq '/') {			# Less checking for '/' access
    $dir = '/' if $dir eq '';
  } else {
    s#^/##;				# Don't allow absolute paths
    $_ = "$subdir/$_" unless m#^\Q$subdir\E(/|$)#;
    1 while s#/\.\.(/|$)#/__/#g;	# Don't allow foo/../../etc
  }
  tr#-_/a-zA-Z0-9.,+@^%: #_#c;		# Don't allow '"&;|!=()[]{}<>*?#\$
  s/(\s)/\\$1/g;			# Re-escape whitespace
  push(@dirs, $_);
}
push(@dirs, $subdir) unless @dirs;
$dir = join(' ', @dirs);

if (-f LOGFILE and open LOG,'>>',LOGFILE) {
  my ($mm,$hh) = (localtime)[1,2];
  my $host = $ENV{SSH_CONNECTION} || 'unknown';
  $host =~ s/ .*//;			# Keep only the client's IP addr
  $host =~ s/^::ffff://;
  $host = gethostbyaddr(inet_aton($host),AF_INET) || $host;
  my $dir_result = $dir eq $orig ? " OK" : "> \"$dir\"";
  printf LOG "%02d:%02d %-13s [%s] =%s\n", $hh, $mm, $host, $command, $dir_result;
  close LOG;
}

exec "$cmd \"$dir\"" or die "exec($cmd \"$dir\") failed: $? $!";
# Note: This assumes that the rsync protocol will not be maliciously hijacked.