Restricted shell/6.1

From FusionForge Wiki
Jump to: navigation, search

This page in other versions: master

By default, if configuration flag use_shell is set, FusionForge creates shell access for users that are members of a project.

This SSH access is used to commit to the SCM repositories, or to upload files to the project's website.

If you wish to restrict this access, e.g. to only Git, SVN or SFTP, you can:

  • configure a restricted shell.
  • use configuration flag use_shell_limited flag.

Setup a homemade restricted shell

Let's document how to use the git-shell restricted shell. Alternatives exist such as GNU Rush and rssh.

  • add /usr/bin/git-shell to /etc/shells
  • define the core/user_default_shell, e.g. in /etc/fusionforge/config.ini.d/zzzz-local.ini:
user_default_shell = /usr/bin/git-shell

Adding an scp wrapper script to ~/git-shell-commands/

Note: git-shell securely restricts shell access only if the user doesn't have access to its home directory.

The following script may be added to the user's ~/git-shell-commands/scp to securely add support scp, by matching ^(scp .*-t /upload):



# check that command doesn't involve upwards path components in any
# location to prevent, for instance, scp -t upload/../
echo "$cmd" | fgrep '..' >/dev/null && echo "Forbidden command: scp $cmd" && exit

case "$cmd" in
 -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 -r\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 -p\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 -r\ -p\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 *) echo "Forbidden command: scp $cmd" ;;

Then, the user will be able to scp to /home/groups/projname/htdocs/ to upload the project's website files.

You may want to check GNU Rush and rssh though.

See also

Use use_shell_limited

FusionForge proposes a specific implementation of a command wrapper on top of SSH. By default, the configuration flag is set to false. Turning to true will limit the usage of SSH to support:

This feature relies on the script available in ~/bin/limited_ssh.sh
It requires the sshd configuration to allow only sshkey as authentication method.

See also