#!/bin/bash
+# This is a wrapper script for ssh access on Debian's static mirroring infrastructure.
+#
+# It limits the commands the master can run on static-mirroring mirrors (i.e.
+# the things running apache) on one hand, and also on static-mirroring sources,
+# that is the things that create the data.
+
# Copyright (c) 2009, 2010, 2012 Peter Palfrader
#
# Permission is hereby granted, free of charge, to any person obtaining
set -u
MYLOGNAME="`basename "$0"`[$$]"
+COMPONENTLIST=/etc/static-components.conf
usage() {
echo "local Usage: $0 <basedir> <host>"
echo "via ssh orig command:"
- echo " mirror <serial>"
+ echo " mirror <component> <serial>"
+ echo " rsync ..."
+ do_rsync "$remote_host" "$@"
}
one_more_arg() {
local basedir="$1"; shift
local remote_host="$1"; shift
one_more_arg "$@"
+ local component="$1"; shift
+ one_more_arg "$@"
local serial="$1"; shift
- info "Host $remote_host triggered a mirror run for serial $serial"
- exec /usr/local/bin/static-mirror-run "$basedir" "$remote_host:-new-" "$serial"
+ info "Host $remote_host triggered a mirror run for $component, serial $serial"
+ exec /usr/local/bin/static-mirror-run "$basedir" "$remote_host:$component/-new-" "$serial"
echo >&2 "Exec failed"
croak "exec failed"
}
do_rsync() {
- local remote_host="$1"
- shift
+ local remote_host="$1"
+ shift
local allowed_rsyncs
allowed_rsyncs=()
- #case "`hostname`" in
- # vescum)
- # allowed_rsyncs=(
- # '^--server --sender -tre\.iLsf \. /srv/www-master\.torproject\.org/htdocs/\.$'
- # )
- # ;;
- # *)
- #esac
+ if [ -e "$COMPONENTLIST" ]; then
+ for path in $(awk -v host="$(hostname -f)" '$3 == host {print $4}' $COMPONENTLIST); do
+ allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.")
+ done
+ fi
for cmd_idx in ${!allowed_rsyncs[*]}; do
allowed="${allowed_rsyncs[$cmd_idx]}"
- if [[ "$*" =~ $allowed ]]; then # do !not! quote regex
+ if [ "$*" = "$allowed" ]; then
info "Running for host $remote_host: rsync $*"
exec rsync "$@"
echo >&2 "Exec failed"