X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ffiles%2Fstatic-mirroring%2Fstatic-mirror-ssh-wrap;h=240fefec8389e45d48c6ad7304b3fa273c3e9e84;hb=6a27da63ab813d60c8542d289f5b44a495311d11;hp=f7a6a81c13f88e5adac09f07a84e05fbe8552e63;hpb=d6e20ea4c083d9978ad4c3e5eccaffa2e887698a;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/files/static-mirroring/static-mirror-ssh-wrap b/modules/roles/files/static-mirroring/static-mirror-ssh-wrap index f7a6a81c1..240fefec8 100755 --- a/modules/roles/files/static-mirroring/static-mirror-ssh-wrap +++ b/modules/roles/files/static-mirroring/static-mirror-ssh-wrap @@ -1,5 +1,11 @@ #!/bin/bash +# This is a wrapper script for ssh access on Debian's static mirroring infrastructure. +# +# It limits the commands the master can run on static-mirroring mirrors (i.e. +# the things running apache) on one hand, and also on static-mirroring sources, +# that is the things that create the data. + # Copyright (c) 2009, 2010, 2012 Peter Palfrader # # Permission is hereby granted, free of charge, to any person obtaining @@ -25,6 +31,7 @@ set -e set -u MYLOGNAME="`basename "$0"`[$$]" +COMPONENTLIST=/etc/static-components.conf usage() { echo "local Usage: $0 " @@ -61,23 +68,20 @@ do_mirror() { } do_rsync() { - local remote_host="$1" - shift + local remote_host="$1" + shift local allowed_rsyncs allowed_rsyncs=() - #case "`hostname`" in - # vescum) - # allowed_rsyncs=( - # '^--server --sender -tre\.iLsf \. /srv/www-master\.torproject\.org/htdocs/\.$' - # ) - # ;; - # *) - #esac + if [ -e "$COMPONENTLIST" ]; then + for path in $(awk -v host="$(hostname -f)" '$2 == host {print $3}' $COMPONENTLIST); do + allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.") + done + fi for cmd_idx in ${!allowed_rsyncs[*]}; do allowed="${allowed_rsyncs[$cmd_idx]}" - if [[ "$*" =~ $allowed ]]; then # do !not! quote regex + if [ "$*" = "$allowed" ]; then info "Running for host $remote_host: rsync $*" exec rsync "$@" echo >&2 "Exec failed"