From 2310f6c0d02c8dd9f2085a04f5dd410f691da79e Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Sat, 20 Mar 2010 12:14:51 +0100 Subject: Add (very experimental) caretaker-shell --- examples/caretaker-shell | 23 +++++++++++++++++++++++ man/7/caretaker-shell.pod | 20 ++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100755 examples/caretaker-shell create mode 100644 man/7/caretaker-shell.pod diff --git a/examples/caretaker-shell b/examples/caretaker-shell new file mode 100755 index 0000000..ce59a90 --- /dev/null +++ b/examples/caretaker-shell @@ -0,0 +1,23 @@ +#!/usr/bin/env zsh + +# Change this to your package root +PKG_ROOT='/home/derf/var/packages_root' + +# Change this to the location of your pkglist script (if non-default) +PKG_LIST=${PKG_ROOT}/pkglist + +args=(${(z)SSH_ORIGINAL_COMMAND}) + +if [[ \ + ( \ + $args[1] == ${PKG_LIST} && \ + $args[2] == ${PKG_ROOT} \ + ) || ( \ + $args[1] == 'git-'(upload|receive)'-pack' && \ + $args[2] != *'../'* && \ + $args[2] == \'${PKG_ROOT}/*\' \ + ) \ +]] { + args[2]=${args[2]//\'} + ${args} +} diff --git a/man/7/caretaker-shell.pod b/man/7/caretaker-shell.pod new file mode 100644 index 0000000..faac251 --- /dev/null +++ b/man/7/caretaker-shell.pod @@ -0,0 +1,20 @@ +=pod + +=head1 NAME + +caretaker-shell - Restricted shell for caretaker commands + +=head1 DESCRIPTION + +B is designed to only execute commands required B. +This is useful if you want to use B with ssh on untrusted hosts: +Generate a SSH key and put it into your .ssh/authorized_keys prefixed by +C<< command="/path/to/caretaker-shell" >>. +This way, caretaker will work, but it won't be possible to gain actual SSH +access to your host. + +=head1 WARNING + +This is an experimental feature, security flaws may be present. Use at own +risk, and while you're at it you might also want to add a passphrase to your +ssh keys. -- cgit v1.2.3