fixing some minor weirdness

2019-08-15 08:32:51 -04:00 · 2019-08-15 08:32:51 -04:00 · 5e11c6318c
parent 138d3f35bb
commit 5e11c6318c
2 changed files with 28 additions and 7 deletions
--- a/tools/add-borguser.py
+++ b/tools/add-borguser.py
@ -52,8 +52,9 @@ class UserAdder(object):

    def addKey(self, ssh_key, *args, **kwargs):
        key_template = ('command='
-                            '"cd {homedir};'
-                            'borg serve --restrict-to-path {homedir}",'
+                            #'"cd {homedir};'
+                            #'borg serve --restrict-to-path {homedir}",'
+                            '"/usr/local/bin/borg-restricted.py ${SSH_ORIGINAL_COMMAND}"',
                        'no-port-forwarding,'
                        'no-X11-forwarding,'
                        'no-pty,'
@ -63,11 +64,23 @@ class UserAdder(object):
        for u, kp in self.users.items():
            userent = pwd.getpwnam(u)
            homedir = userent.pw_dir
+            sshdir = os.path.join(homedir, '.ssh')
            key_insert = key_template.format(user = u,
                                             homedir = homedir,
                                             keystr = ssh_key)
            with open(kp, 'a') as f:
                f.write(key_insert)
+            # When CentOS/RHEL move to python3 native, and port policycoreutils, do this natively.
+            # But for now...
+            subprocess.run(['chcon',
+                            '-R unconfined_u:object_r:user_home_t:s0',
+                            sshdir])
+            subprocess.run(['semanage',
+                            'fcontext',
+                            '-a',
+                                '-t',
+                                    'ssh_home_t',
+                            sshdir])
        return()

    def clean(self):
--- a/tools/borg-restricted.py
+++ b/tools/borg-restricted.py
@ -3,15 +3,23 @@
 import os
 import pwd
 import subprocess
+import sys


+# You can optionally add logging, etc. to log attempts that fail to verify the command enforcement,
+# client IPs, etc. via environment variables, etc.
+
 cur_user = os.geteuid()
 homedir = pwd.getpwuid(cur_user).pw_dir
+os.chdir(homedir)

-borg_bin = '/usr/bin/borg'
+orig_cmd = sys.argv[1:]
+if orig_cmd.pop(0) != 'borg':
+    raise PermissionError('That command is not allowed')
+if orig_cmd.pop(0) != 'serve':
+    raise PermissionError('That command is not allowed')
+new_cmd = ['borg', 'serve', '--restrict-to-path', homedir]
+new_cmd.extend(orig_cmd)

 os.chdir(homedir)
-subprocess.run([borg_bin,
-                'serve',
-                '--restrict-to-path',
-                homedir])
+subprocess.run(new_cmd)