btrbk/ssh_filter_btrbk.sh

#!/bin/sh

set -e
set -u

export PATH=/sbin:/bin:/usr/sbin:/usr/bin

enable_log=
if [ "$#" -ge 1 ] && [ "$1" = "-l" ]; then
    enable_log=1
fi

log_cmd()
{
    if [ -n "$enable_log" ]; then
        logger -p $1 -t ssh_filter_btrbk.sh "$2 (Name: ${LOGNAME:-<unknown>}; Remote: ${SSH_CLIENT:-<unknown>}): $SSH_ORIGINAL_COMMAND"
    fi
}

reject_and_die()
{
    log_cmd "auth.err" "btrbk REJECT"
    /bin/echo "ERROR: ssh command rejected" 1>&2
    exit 1
}

run_cmd()
{
    log_cmd "auth.info" "btrbk ACCEPT"
    $SSH_ORIGINAL_COMMAND
}

case "$SSH_ORIGINAL_COMMAND" in
    *\$*) reject_and_die ;;
    *\&*) reject_and_die ;;
    *\(*) reject_and_die ;;
    *\{*) reject_and_die ;;
    *\;*) reject_and_die ;;
    *\<*) reject_and_die ;;
    *\>*) reject_and_die ;;
    *\`*) reject_and_die ;;
    *\|*) reject_and_die ;;
    btrfs\ subvolume\ show\ *)      run_cmd ;;   # mandatory
    btrfs\ subvolume\ list\ *)      run_cmd ;;   # mandatory
    btrfs\ subvolume\ snapshot\ *)  run_cmd ;;   # mandatory if this host is backup source
    btrfs\ send\ *)                 run_cmd ;;   # mandatory if this host is backup source
    btrfs\ receive\ *)              run_cmd ;;   # mandatory if this host is backup target
    btrfs\ subvolume\ delete\ *)    run_cmd ;;   # mandatory if scheduling is active
    btrfs\ subvolume\ find-new\ *)  run_cmd ;;   # needed for "btrbk diff"
    btrfs\ filesystem\ usage\ *)    run_cmd ;;   # needed for "btrbk info"
    *) reject_and_die ;;
esac
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00			`#!/bin/sh`

ssh_filter_btrbk: fail if any command fails, or var is undefined 2015-07-08 14:54:56 +02:00			`set -e`
			`set -u`

btrbk, ssh_filter_btrbk.sh: set PATH=/sbin:/bin:/usr/sbin:/usr/bin and call "btrfs" instead of using absolute "/sbin/btrfs". for compatibility with all distros out there. - debian jessie (stable): btrfs-tools-3.17-1.1: `/sbin/btrfs` - debian sid (unstable): btrfs-tools-4.0-2: `/bin/btrfs` - gentoo: sys-fs/btrfs-progs-4.0: `/sbin/btrfs` - arch: btrfs-progs-4.0-2: `/usr/bin/btrfs` 2015-05-18 21:18:57 +02:00			`export PATH=/sbin:/bin:/usr/sbin:/usr/bin`
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00
ssh_filter_btrbk: fail if any command fails, or var is undefined 2015-07-08 14:54:56 +02:00			`enable_log=`
			`if [ "$#" -ge 1 ] && [ "$1" = "-l" ]; then`
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00			`enable_log=1`
			`fi`

ssh_filter_btrbk: no fail if either $LOGNAME or $SSH_CLIENT are not set; added log_cmd() function; use relative path for "logger" command; cosmetics 2015-07-08 18:05:39 +02:00			`log_cmd()`
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00			`{`
			`if [ -n "$enable_log" ]; then`
ssh_filter_btrbk: no fail if either $LOGNAME or $SSH_CLIENT are not set; added log_cmd() function; use relative path for "logger" command; cosmetics 2015-07-08 18:05:39 +02:00			`logger -p $1 -t ssh_filter_btrbk.sh "$2 (Name: ${LOGNAME:-<unknown>}; Remote: ${SSH_CLIENT:-<unknown>}): $SSH_ORIGINAL_COMMAND"`
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00			`fi`
ssh_filter_btrbk: no fail if either $LOGNAME or $SSH_CLIENT are not set; added log_cmd() function; use relative path for "logger" command; cosmetics 2015-07-08 18:05:39 +02:00			`}`

			`reject_and_die()`
			`{`
			`log_cmd "auth.err" "btrbk REJECT"`
			`/bin/echo "ERROR: ssh command rejected" 1>&2`
			`exit 1`
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00			`}`

			`run_cmd()`
			`{`
ssh_filter_btrbk: no fail if either $LOGNAME or $SSH_CLIENT are not set; added log_cmd() function; use relative path for "logger" command; cosmetics 2015-07-08 18:05:39 +02:00			`log_cmd "auth.info" "btrbk ACCEPT"`
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00			`$SSH_ORIGINAL_COMMAND`
			`}`

			`case "$SSH_ORIGINAL_COMMAND" in`
			`\$) reject_and_die ;;`
			`\&) reject_and_die ;;`
			`\() reject_and_die ;;`
			`\{) reject_and_die ;;`
			`\;) reject_and_die ;;`
			`\<) reject_and_die ;;`
			`\>) reject_and_die ;;`
			\`) reject_and_die ;;
			`\\|) reject_and_die ;;`
btrbk, ssh_filter_btrbk.sh: set PATH=/sbin:/bin:/usr/sbin:/usr/bin and call "btrfs" instead of using absolute "/sbin/btrfs". for compatibility with all distros out there. - debian jessie (stable): btrfs-tools-3.17-1.1: `/sbin/btrfs` - debian sid (unstable): btrfs-tools-4.0-2: `/bin/btrfs` - gentoo: sys-fs/btrfs-progs-4.0: `/sbin/btrfs` - arch: btrfs-progs-4.0-2: `/usr/bin/btrfs` 2015-05-18 21:18:57 +02:00			`btrfs\ subvolume\ show\ *) run_cmd ;; # mandatory`
			`btrfs\ subvolume\ list\ *) run_cmd ;; # mandatory`
			`btrfs\ subvolume\ snapshot\ *) run_cmd ;; # mandatory if this host is backup source`
			`btrfs\ send\ *) run_cmd ;; # mandatory if this host is backup source`
			`btrfs\ receive\ *) run_cmd ;; # mandatory if this host is backup target`
			`btrfs\ subvolume\ delete\ *) run_cmd ;; # mandatory if scheduling is active`
			`btrfs\ subvolume\ find-new\ *) run_cmd ;; # needed for "btrbk diff"`
			`btrfs\ filesystem\ usage\ *) run_cmd ;; # needed for "btrbk info"`
ssh_filter_btrbk: added ssh_filter_btrbk.sh (ssh wrapper/filter script) 2015-02-09 11:42:44 +01:00			`*) reject_and_die ;;`
			`esac`