X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ffiles%2Fstatic-mirroring%2Fstatic-mirror-ssh-wrap;h=b4c8447b878e1eef63e4808348c83cf88c5aca2b;hb=23b3472027a552a8d691d19cdfb60a521f027955;hp=f7a6a81c13f88e5adac09f07a84e05fbe8552e63;hpb=d6e20ea4c083d9978ad4c3e5eccaffa2e887698a;p=mirror%2Fdsa-puppet.git diff --git a/modules/roles/files/static-mirroring/static-mirror-ssh-wrap b/modules/roles/files/static-mirroring/static-mirror-ssh-wrap index f7a6a81c1..b4c8447b8 100755 --- a/modules/roles/files/static-mirroring/static-mirror-ssh-wrap +++ b/modules/roles/files/static-mirroring/static-mirror-ssh-wrap @@ -1,5 +1,11 @@ #!/bin/bash +# This is a wrapper script for ssh access on Debian's static mirroring infrastructure. +# +# It limits the commands the master can run on static-mirroring mirrors (i.e. +# the things running apache) on one hand, and also on static-mirroring sources, +# that is the things that create the data. + # Copyright (c) 2009, 2010, 2012 Peter Palfrader # # Permission is hereby granted, free of charge, to any person obtaining @@ -25,11 +31,14 @@ set -e set -u MYLOGNAME="`basename "$0"`[$$]" +COMPONENTLIST=/etc/static-components.conf usage() { echo "local Usage: $0 " echo "via ssh orig command:" - echo " mirror " + echo " mirror " + echo " rsync ..." + do_rsync "$remote_host" "$@" } one_more_arg() { @@ -52,32 +61,31 @@ do_mirror() { local basedir="$1"; shift local remote_host="$1"; shift one_more_arg "$@" + local component="$1"; shift + one_more_arg "$@" local serial="$1"; shift - info "Host $remote_host triggered a mirror run for serial $serial" - exec /usr/local/bin/static-mirror-run "$basedir" "$remote_host:-new-" "$serial" + info "Host $remote_host triggered a mirror run for $component, serial $serial" + exec /usr/local/bin/static-mirror-run "$basedir" "$remote_host:$component/-new-" "$serial" echo >&2 "Exec failed" croak "exec failed" } do_rsync() { - local remote_host="$1" - shift + local remote_host="$1" + shift local allowed_rsyncs allowed_rsyncs=() - #case "`hostname`" in - # vescum) - # allowed_rsyncs=( - # '^--server --sender -tre\.iLsf \. /srv/www-master\.torproject\.org/htdocs/\.$' - # ) - # ;; - # *) - #esac + if [ -e "$COMPONENTLIST" ]; then + for path in $(awk -v host="$(hostname -f)" '$3 == host {print $4}' $COMPONENTLIST); do + allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.") + done + fi for cmd_idx in ${!allowed_rsyncs[*]}; do allowed="${allowed_rsyncs[$cmd_idx]}" - if [[ "$*" =~ $allowed ]]; then # do !not! quote regex + if [ "$*" = "$allowed" ]; then info "Running for host $remote_host: rsync $*" exec rsync "$@" echo >&2 "Exec failed"