diff options
| -rwxr-xr-x | examples/caretaker-shell | 23 | ||||
| -rw-r--r-- | man/7/caretaker-shell.pod | 20 |
2 files changed, 43 insertions, 0 deletions
diff --git a/examples/caretaker-shell b/examples/caretaker-shell new file mode 100755 index 0000000..ce59a90 --- /dev/null +++ b/examples/caretaker-shell @@ -0,0 +1,23 @@ +#!/usr/bin/env zsh + +# Change this to your package root +PKG_ROOT='/home/derf/var/packages_root' + +# Change this to the location of your pkglist script (if non-default) +PKG_LIST=${PKG_ROOT}/pkglist + +args=(${(z)SSH_ORIGINAL_COMMAND}) + +if [[ \ + ( \ + $args[1] == ${PKG_LIST} && \ + $args[2] == ${PKG_ROOT} \ + ) || ( \ + $args[1] == 'git-'(upload|receive)'-pack' && \ + $args[2] != *'../'* && \ + $args[2] == \'${PKG_ROOT}/*\' \ + ) \ +]] { + args[2]=${args[2]//\'} + ${args} +} diff --git a/man/7/caretaker-shell.pod b/man/7/caretaker-shell.pod new file mode 100644 index 0000000..faac251 --- /dev/null +++ b/man/7/caretaker-shell.pod @@ -0,0 +1,20 @@ +=pod + +=head1 NAME + +caretaker-shell - Restricted shell for caretaker commands + +=head1 DESCRIPTION + +B<caretaker-shell> is designed to only execute commands required B<caretaker>. +This is useful if you want to use B<caretaker> with ssh on untrusted hosts: +Generate a SSH key and put it into your .ssh/authorized_keys prefixed by +C<< command="/path/to/caretaker-shell" >>. +This way, caretaker will work, but it won't be possible to gain actual SSH +access to your host. + +=head1 WARNING + +This is an experimental feature, security flaws may be present. Use at own +risk, and while you're at it you might also want to add a passphrase to your +ssh keys. |