Difference between revisions of "Restricted shell"

From FusionForge Wiki
Jump to: navigation, search
(Setting git-shell as the user's login shell: Import and update previous documentation on restricted shells)
(capitalize list name)
Line 42: Line 42:
* [[Configuration]]: <code>core/use_shell</code> and <code>core/user_default_shell</code>
* [[Configuration]]: <code>core/use_shell</code> and <code>core/user_default_shell</code>
* [http://lists.fusionforge.org/pipermail/fusionforge-general/2012-May/001792.html Restricting ssh shell access for git] on [fusionforge-general]  
* [http://lists.fusionforge.org/pipermail/fusionforge-general/2012-May/001792.html Restricting ssh shell access for git] on [Fusionforge-general]  
[[Category:Admin documentation]]
[[Category:Admin documentation]]

Revision as of 13:40, 2 October 2015

By default, FusionForge creates shell access for users that are members of a project.

This SSH access is used to commit to the SCM repositories, or to upload files to the project's website.

If you wish to restrict this access, e.g. to only Git, SVN or SFTP, you can configure a restricted shell.

Example configuration

Let's document how to use the git-shell restricted shell. Alternatives exist such as GNU Rush and rssh.

  • add /usr/bin/git-shell to /etc/shells
  • define the core/user_default_shell, e.g. in /etc/fusionforge/config.ini.d/zzzz-local.ini:
user_default_shell = /usr/bin/git-shell

Adding an scp wrapper script to ~/git-shell-commands/

Note: git-shell securely restricts shell access only if the user doesn't have access to its home directory.

The following script may be added to the user's ~/git-shell-commands/scp to securely add support scp, by matching ^(scp .*-t /upload):



# check that command doesn't involve upwards path components in any
# location to prevent, for instance, scp -t upload/../
echo "$cmd" | fgrep '..' >/dev/null && echo "Forbidden command: scp $cmd" && exit

case "$cmd" in
 -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 -r\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 -p\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 -r\ -p\ -t\ --\ /home/groups/*/htdocs*) exec scp $cmd ;;
 *) echo "Forbidden command: scp $cmd" ;;

Then, the user will be able to scp to /home/groups/projname/htdocs/ to upload the project's website files.

You may want to check GNU Rush and rssh though.

See also