Difference between revisions of "Restricted shell"
Beuc-inria (talk | contribs) (→Setting git-shell as the user's login shell: Import and update previous documentation on restricted shells) |
Beuc-inria (talk | contribs) (capitalize list name) |
||
Line 42: | Line 42: | ||
* [[Configuration]]: <code>core/use_shell</code> and <code>core/user_default_shell</code> | * [[Configuration]]: <code>core/use_shell</code> and <code>core/user_default_shell</code> | ||
− | * [http://lists.fusionforge.org/pipermail/fusionforge-general/2012-May/001792.html Restricting ssh shell access for git] on [ | + | * [http://lists.fusionforge.org/pipermail/fusionforge-general/2012-May/001792.html Restricting ssh shell access for git] on [Fusionforge-general] |
[[Category:Admin documentation]] | [[Category:Admin documentation]] |
Revision as of 13:40, 2 October 2015
By default, FusionForge creates shell access for users that are members of a project.
This SSH access is used to commit to the SCM repositories, or to upload files to the project's website.
If you wish to restrict this access, e.g. to only Git, SVN or SFTP, you can configure a restricted shell.
Example configuration
Let's document how to use the git-shell
restricted shell. Alternatives exist such as GNU Rush and rssh.
- add /usr/bin/git-shell to /etc/shells
- define the core/user_default_shell, e.g. in /etc/fusionforge/config.ini.d/zzzz-local.ini:
[core] user_default_shell = /usr/bin/git-shell
Adding an scp wrapper script to ~/git-shell-commands/
Note: git-shell securely restricts shell access only if the user doesn't have access to its home directory.
The following script may be added to the user's ~/git-shell-commands/scp to securely add support scp
, by matching ^(scp .*-t /upload)
:
#!/bin/sh cmd="$*" # check that command doesn't involve upwards path components in any # location to prevent, for instance, scp -t upload/../ echo "$cmd" | fgrep '..' >/dev/null && echo "Forbidden command: scp $cmd" && exit case "$cmd" in -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;; -r\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;; -p\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;; -r\ -p\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;; *) echo "Forbidden command: scp $cmd" ;; esac
Then, the user will be able to scp to /home/groups/projname/htdocs/ to upload the project's website files.
You may want to check GNU Rush and rssh though.
See also
- Configuration:
core/use_shell
andcore/user_default_shell
- Restricting ssh shell access for git on [Fusionforge-general]