mirror/rsync
1
0
Fork 0
mirror of https://github.com/RsyncProject/rsync.git synced 2026-03-06 15:37:00 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
85fbfa10a858cdc7e444f1868d808ee845376fde
rsync/support/rrsync
Wayne Davison 85fbfa10a8 - Improved some comments (some taken from the new cull-options output). 
- Made the user-config sections easier to find.
- Default to running a fully-specified rsync executable so that there
  are not PATH surprises.
- A few minor tweaks to the arg-checking code to make it clearer without
  actually changing its logic.
2005-06-17 16:48:02 +00:00

205 lines
6.2 KiB
Perl
Raw Blame History

#!/usr/bin/perl
# Name: /usr/local/bin/rrsync (should also have a symlink in /usr/bin)
# Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys
# Author: Joe Smith <js-cgi@inwap.com> 30-Sep-2004
# Modified by: Wayne Davison <wayned@samba.org>
use strict;
use Socket;
use Cwd 'abs_path';
use File::Glob ':glob';
# You may configure these values to your liking. See also the section
# of options if you want to disable any options that rsync accepts.
use constant RSYNC => '/usr/bin/rsync';
use constant LOGFILE => 'rrsync.log';
my $Usage = <<EOM;
Use 'command="$0 [-ro] SUBDIR"'
in front of lines in $ENV{HOME}/.ssh/authorized_keys
EOM
our $ro = (@ARGV && $ARGV[0] eq '-ro') ? shift : ''; # -ro = Read-Only
our $subdir = shift;
die "$0: No subdirectory specified\n$Usage" unless defined $subdir;
$subdir = abs_path($subdir);
die "$0: Restricted directory does not exist!\n" if $subdir ne '/' && !-d $subdir;
# The client uses "rsync -av -e ssh src/ server:dir/", and sshd on the server
# executes this program when .ssh/authorized_keys has 'command="..."'.
# For example:
# command="rrsync logs/client" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzGhEeNlPr...
# command="rrsync -ro results" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmkHG1WCjC...
#
# Format of the envrionment variables set by sshd:
# SSH_ORIGINAL_COMMAND=rsync --server -vlogDtpr --partial . ARG # push
# SSH_ORIGINAL_COMMAND=rsync --server --sender -vlogDtpr --partial . ARGS # pull
# SSH_CONNECTION=client_addr client_port server_port
my $command = $ENV{SSH_ORIGINAL_COMMAND};
die "$0: Not invoked via sshd\n$Usage" unless defined $command;
die "$0: SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $command =~ s/^rsync\s+//;
our $am_sender = $command =~ /^--server\s+--sender\s/; # Restrictive on purpose!
die "$0 -ro: sending to read-only server not allowed\n" if $ro && !$am_sender;
### START of options data produced by the cull-options script. ###
# These options are the only options that rsync might send to the server,
# and only in the option/arg format that the stock rsync produces.
# To disable a short-named option, add its letter to this string:
our $short_disabled = '';
our $short_no_arg = 'CDHIKLORSWbcdglnoprtuvxz'; # DO NOT REMOVE ANY
our $short_with_num = 'B'; # DO NOT REMOVE ANY
# To disable a long-named option, change its value to a 0 (NOTE: at least
# one option appears in two places!). A value of -1 means the arg doesn't
# need checking, a 1 means to check it, a 2 means only check when receiving.
our %long_no_arg = (
'copy-unsafe-links' => -1,
'daemon' => -1,
'delay-updates' => -1,
'delete' => -1,
'delete-after' => -1,
'delete-before' => -1,
'delete-during' => -1,
'delete-excluded' => -1,
'existing' => -1,
'force' => -1,
'from0' => -1,
'fuzzy' => -1,
'ignore-errors' => -1,
'ignore-existing' => -1,
'inplace' => -1,
'list-only' => -1,
'no-implied-dirs' => -1,
'no-relative' => -1,
'numeric-ids' => -1,
'partial' => -1,
'remove-sent-files' => $ro ? 0 : -1,
'safe-links' => -1,
'sender' => -1,
'server' => -1,
'size-only' => -1,
);
our %long_with_arg = (
'bwlimit' => -1,
'checksum-seed' => -1,
'files-from' => 1,
'log-format' => -1,
'max-delete' => -1,
'modify-window' => -1,
'only-write-batch' => -1,
'suffix' => -1,
'timeout' => -1,
);
our %long_before_arg = (
'backup-dir' => 2,
'files-from' => 1,
'max-size' => -1,
'partial-dir' => 2,
'temp-dir' => 2,
);
### END of options data produced by the cull-options script. ###
if ($short_disabled ne '') {
$short_no_arg =~ s/[$short_disabled]//go;
$short_with_num =~ s/[$short_disabled]//go;
}
$short_no_arg = "[$short_no_arg]" if length($short_no_arg) > 1;
$short_with_num = "[$short_with_num]" if length($short_with_num) > 1;
my $write_log = -f LOGFILE && open(LOG, '>>', LOGFILE);
chdir($subdir) or die "$0: Unable to chdir to restricted dir: $!\n";
my(@opts, @args);
my $in_options = 1;
my $last_opt = '';
my $check_type;
foreach (split(/(?<!\\)\s+/, $command)) {
if ($check_type) {
push(@opts, check_arg($last_opt, $_, $check_type));
$check_type = 0;
} elsif ($in_options) {
push(@opts, $_);
if ($_ eq '.') {
$in_options = 0;
} else {
next if /^-$short_no_arg+$/o || /^-$short_with_num\d+$/o;
my($opt,$arg) = /^--([^=]+)(?:=(.*))?$/;
my $disabled;
if (defined $arg) {
my $ct = $long_with_arg{$opt};
if ($ct) {
$arg = check_arg($opt, $arg, $ct);
$opts[-1] =~ s/=.*/=$arg/;
next;
}
$disabled = defined $long_with_arg{$opt};
$opt = "--$opt";
} elsif (defined $opt) {
if (defined $long_no_arg{$opt}) {
next if $long_no_arg{$opt};
$disabled = 1;
} else {
$check_type = $long_before_arg{$opt};
if ($check_type) {
$last_opt = $opt;
next;
}
$disabled = defined $check_type;
}
$opt = "--$opt";
} elsif ($short_disabled ne '') {
$disabled = /^-$short_no_arg*([$short_disabled])/o;
$opt = "-$1" if $disabled;
}
last unless $disabled; # Generate generic failure
die "$0: option $opt has been disabled on this server.\n";
}
} else {
if ($subdir ne '/') {
# Validate args to ensure they don't try to leave our restricted dir.
s#//+#/#g;
s#^/##;
s#^$#.#;
die "Do not use .. in any path!\n" if m#(^|/)\\?\.\\?\.(\\?/|$)#;
}
push(@args, bsd_glob($_, GLOB_LIMIT|GLOB_NOCHECK|GLOB_BRACE|GLOB_QUOTE));
}
}
die "$0: invalid rsync-command syntax or options\n" if $in_options;
@args = ( '.' ) if !@args;
if ($write_log) {
my ($mm,$hh) = (localtime)[1,2];
my $host = $ENV{SSH_CONNECTION} || 'unknown';
$host =~ s/ .*//; # Keep only the client's IP addr
$host =~ s/^::ffff://;
$host = gethostbyaddr(inet_aton($host),AF_INET) || $host;
printf LOG "%02d:%02d %-13s [%s]\n", $hh, $mm, $host, "@opts @args";
close LOG;
}
# Note: This assumes that the rsync protocol will not be maliciously hijacked.
exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!";
sub check_arg
{
my($opt, $arg, $type) = @_;
$arg =~ s/\\(.)/$1/g;
if ($subdir ne '/' && ($type == 1 || ($type == 2 && !$am_sender))) {
$arg =~ s#//#/#g;
die "Do not use .. in --$opt; anchor the path at the root of your restricted dir.\n"
if $arg =~ m#(^|/)\.\.(/|$)#;
$arg =~ s#^/#$subdir/#;
}
$arg;
}
Reference in New Issue View Git Blame Copy Permalink