diff --git a/tools/add-borguser.py b/tools/add-borguser.py index 4e6aa50..86e4cb7 100755 --- a/tools/add-borguser.py +++ b/tools/add-borguser.py @@ -52,8 +52,9 @@ class UserAdder(object): def addKey(self, ssh_key, *args, **kwargs): key_template = ('command=' - '"cd {homedir};' - 'borg serve --restrict-to-path {homedir}",' + #'"cd {homedir};' + #'borg serve --restrict-to-path {homedir}",' + '"/usr/local/bin/borg-restricted.py ${SSH_ORIGINAL_COMMAND}"', 'no-port-forwarding,' 'no-X11-forwarding,' 'no-pty,' @@ -63,11 +64,23 @@ class UserAdder(object): for u, kp in self.users.items(): userent = pwd.getpwnam(u) homedir = userent.pw_dir + sshdir = os.path.join(homedir, '.ssh') key_insert = key_template.format(user = u, homedir = homedir, keystr = ssh_key) with open(kp, 'a') as f: f.write(key_insert) + # When CentOS/RHEL move to python3 native, and port policycoreutils, do this natively. + # But for now... + subprocess.run(['chcon', + '-R unconfined_u:object_r:user_home_t:s0', + sshdir]) + subprocess.run(['semanage', + 'fcontext', + '-a', + '-t', + 'ssh_home_t', + sshdir]) return() def clean(self): diff --git a/tools/borg-restricted.py b/tools/borg-restricted.py index 63c6ea4..b139f17 100755 --- a/tools/borg-restricted.py +++ b/tools/borg-restricted.py @@ -3,15 +3,23 @@ import os import pwd import subprocess +import sys +# You can optionally add logging, etc. to log attempts that fail to verify the command enforcement, +# client IPs, etc. via environment variables, etc. + cur_user = os.geteuid() homedir = pwd.getpwuid(cur_user).pw_dir +os.chdir(homedir) -borg_bin = '/usr/bin/borg' +orig_cmd = sys.argv[1:] +if orig_cmd.pop(0) != 'borg': + raise PermissionError('That command is not allowed') +if orig_cmd.pop(0) != 'serve': + raise PermissionError('That command is not allowed') +new_cmd = ['borg', 'serve', '--restrict-to-path', homedir] +new_cmd.extend(orig_cmd) os.chdir(homedir) -subprocess.run([borg_bin, - 'serve', - '--restrict-to-path', - homedir]) \ No newline at end of file +subprocess.run(new_cmd)