support/rrsync

   1 #!/usr/bin/perl
   2 # Name: /usr/local/bin/rrsync (should also have a symlink in /usr/bin)
   3 # Purpose: Restricts rsync to subdirectory declared in .ssh/authorized_keys
   4 # Author: Joe Smith <js-cgi@inwap.com> 30-Sep-2004
   5 # Modified by: Wayne Davison <wayned@samba.org>
   6 use strict;
   7
   8 use Socket;
   9 use Cwd 'abs_path';
  10 use File::Glob ':glob';
  11
  12 # You may configure these values to your liking.  See also the section
  13 # of options if you want to disable any options that rsync accepts.
  14 use constant RSYNC => '/usr/bin/rsync';
  15 use constant LOGFILE => 'rrsync.log';
  16
  17 my $Usage = <<EOM;
  18 Use 'command="$0 [-ro] SUBDIR"'
  19         in front of lines in $ENV{HOME}/.ssh/authorized_keys
  20 EOM
  21
  22 our $ro = (@ARGV && $ARGV[0] eq '-ro') ? shift : '';    # -ro = Read-Only
  23 our $subdir = shift;
  24 die "$0: No subdirectory specified\n$Usage" unless defined $subdir;
  25 $subdir = abs_path($subdir);
  26 die "$0: Restricted directory does not exist!\n" if $subdir ne '/' && !-d $subdir;
  27
  28 # The client uses "rsync -av -e ssh src/ server:dir/", and sshd on the server
  29 # executes this program when .ssh/authorized_keys has 'command="..."'.
  30 # For example:
  31 # command="rrsync logs/client" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzGhEeNlPr...
  32 # command="rrsync -ro results" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmkHG1WCjC...
  33 #
  34 # Format of the envrionment variables set by sshd:
  35 # SSH_ORIGINAL_COMMAND=rsync --server          -vlogDtpr --partial . ARG # push
  36 # SSH_ORIGINAL_COMMAND=rsync --server --sender -vlogDtpr --partial . ARGS # pull
  37 # SSH_CONNECTION=client_addr client_port server_port
  38
  39 my $command = $ENV{SSH_ORIGINAL_COMMAND};
  40 die "$0: Not invoked via sshd\n$Usage"  unless defined $command;
  41 die "$0: SSH_ORIGINAL_COMMAND='$command' is not rsync\n" unless $command =~ s/^rsync\s+//;
  42 our $am_sender = $command =~ /^--server\s+--sender\s/; # Restrictive on purpose!
  43 die "$0 -ro: sending to read-only server not allowed\n" if $ro && !$am_sender;
  44
  45 ### START of options data produced by the cull_options script. ###
  46
  47 # These options are the only options that rsync might send to the server,
  48 # and only in the option format that the stock rsync produces.
  49
  50 # To disable a short-named option, add its letter to this string:
  51 our $short_disabled = 's';
  52
  53 our $short_no_arg = 'ACDEHIKLORSWXbcdgklmnoprstuvxz'; # DO NOT REMOVE ANY
  54 our $short_with_num = 'B'; # DO NOT REMOVE ANY
  55
  56 # To disable a long-named option, change its value to a -1.  The values mean:
  57 # 0 = the option has no arg; 1 = the arg doesn't need any checking; 2 = only
  58 # check the arg when receiving; and 3 = always check the arg.
  59 our %long_opt = (
  60   'append' => 0,
  61   'backup-dir' => 2,
  62   'bwlimit' => 1,
  63   'checksum-seed' => 1,
  64   'compare-dest' => 2,
  65   'compress-level' => 1,
  66   'copy-dest' => 2,
  67   'copy-unsafe-links' => 0,
  68   'daemon' => 0,
  69   'delay-updates' => 0,
  70   'delete' => 0,
  71   'delete-after' => 0,
  72   'delete-before' => 0,
  73   'delete-delay' => 0,
  74   'delete-during' => 0,
  75   'delete-excluded' => 0,
  76   'existing' => 0,
  77   'files-from' => 3,
  78   'force' => 0,
  79   'from0' => 0,
  80   'fuzzy' => 0,
  81   'iconv' => 1,
  82   'ignore-errors' => 0,
  83   'ignore-existing' => 0,
  84   'inplace' => 0,
  85   'link-dest' => 2,
  86   'list-only' => 0,
  87   'log-format' => 1,
  88   'max-delete' => 1,
  89   'max-size' => 1,
  90   'min-size' => 1,
  91   'modify-window' => 1,
  92   'no-i-r' => 0,
  93   'no-implied-dirs' => 0,
  94   'no-r' => 0,
  95   'no-relative' => 0,
  96   'no-specials' => 0,
  97   'numeric-ids' => 0,
  98   'only-write-batch' => 1,
  99   'partial' => 0,
 100   'partial-dir' => 2,
 101   'remove-sent-files' => $ro ? -1 : 0,
 102   'remove-source-files' => $ro ? -1 : 0,
 103   'safe-links' => 0,
 104   'sender' => 0,
 105   'server' => 0,
 106   'size-only' => 0,
 107   'skip-compress' => 1,
 108   'specials' => 0,
 109   'suffix' => 1,
 110   'super' => 0,
 111   'temp-dir' => 2,
 112   'timeout' => 1,
 113 );
 114
 115 ### END of options data produced by the cull_options script. ###
 116
 117 if ($short_disabled ne '') {
 118     $short_no_arg =~ s/[$short_disabled]//go;
 119     $short_with_num =~ s/[$short_disabled]//go;
 120 }
 121 $short_no_arg = "[$short_no_arg]" if length($short_no_arg) > 1;
 122 $short_with_num = "[$short_with_num]" if length($short_with_num) > 1;
 123
 124 my $write_log = -f LOGFILE && open(LOG, '>>', LOGFILE);
 125
 126 chdir($subdir) or die "$0: Unable to chdir to restricted dir: $!\n";
 127
 128 my(@opts, @args);
 129 my $in_options = 1;
 130 my $last_opt = '';
 131 my $check_type;
 132 while ($command =~ /((?:[^\s\\]+|\\.[^\s\\]*)+)/g) {
 133   $_ = $1;
 134   if ($check_type) {
 135     push(@opts, check_arg($last_opt, $_, $check_type));
 136     $check_type = 0;
 137   } elsif ($in_options) {
 138     push(@opts, $_);
 139     if ($_ eq '.') {
 140       $in_options = 0;
 141     } else {
 142       next if /^-$short_no_arg+(e\d+\.\d+)?$/o || /^-$short_with_num\d+$/o;
 143
 144       my($opt,$arg) = /^--([^=]+)(?:=(.*))?$/;
 145       my $disabled;
 146       if (defined $opt) {
 147         my $ct = $long_opt{$opt};
 148         last unless defined $ct;
 149         next if $ct == 0;
 150         if ($ct > 0) {
 151           if (!defined $arg) {
 152             $check_type = $ct;
 153             $last_opt = $opt;
 154             next;
 155           }
 156           $arg = check_arg($opt, $arg, $ct);
 157           $opts[-1] =~ s/=.*/=$arg/;
 158           next;
 159         }
 160         $disabled = 1;
 161         $opt = "--$opt";
 162       } elsif ($short_disabled ne '') {
 163         $disabled = /^-$short_no_arg*([$short_disabled])/o;
 164         $opt = "-$1";
 165       }
 166
 167       last unless $disabled; # Generate generic failure
 168       die "$0: option $opt has been disabled on this server.\n";
 169     }
 170   } else {
 171     if ($subdir ne '/') {
 172       # Validate args to ensure they don't try to leave our restricted dir.
 173       s#//+#/#g;
 174       s#^/##;
 175       s#^$#.#;
 176       die "Do not use .. in any path!\n" if m#(^|/)\\?\.\\?\.(\\?/|$)#;
 177     }
 178     push(@args, bsd_glob($_, GLOB_LIMIT|GLOB_NOCHECK|GLOB_BRACE|GLOB_QUOTE));
 179   }
 180 }
 181 die "$0: invalid rsync-command syntax or options\n" if $in_options;
 182
 183 @args = ( '.' ) if !@args;
 184
 185 if ($write_log) {
 186   my ($mm,$hh) = (localtime)[1,2];
 187   my $host = $ENV{SSH_CONNECTION} || 'unknown';
 188   $host =~ s/ .*//; # Keep only the client's IP addr
 189   $host =~ s/^::ffff://;
 190   $host = gethostbyaddr(inet_aton($host),AF_INET) || $host;
 191   printf LOG "%02d:%02d %-13s [%s]\n", $hh, $mm, $host, "@opts @args";
 192   close LOG;
 193 }
 194
 195 # Note: This assumes that the rsync protocol will not be maliciously hijacked.
 196 exec(RSYNC, @opts, @args) or die "exec(rsync @opts @args) failed: $? $!";
 197
 198 sub check_arg
 199 {
 200   my($opt, $arg, $type) = @_;
 201   $arg =~ s/\\(.)/$1/g;
 202   if ($subdir ne '/' && ($type == 3 || ($type == 2 && !$am_sender))) {
 203     $arg =~ s#//#/#g;
 204     die "Do not use .. in --$opt; anchor the path at the root of your restricted dir.\n"
 205       if $arg =~ m#(^|/)\.\.(/|$)#;
 206     $arg =~ s#^/#$subdir/#;
 207   }
 208   $arg;
 209 }