##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

contrib/hgsh: Check for .hg/store as well as .hg/data....
Bryan O'Sullivan -
r4419:59ddd43f default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,405 +1,439 b''
1 /*
1 /*
2 * hgsh.c - restricted login shell for mercurial
2 * hgsh.c - restricted login shell for mercurial
3 *
3 *
4 * Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
4 * Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
5 *
5 *
6 * This software may be used and distributed according to the terms of the
6 * This software may be used and distributed according to the terms of the
7 * GNU General Public License, incorporated herein by reference.
7 * GNU General Public License, incorporated herein by reference.
8 *
8 *
9 * this program is login shell for dedicated mercurial user account. it
9 * this program is login shell for dedicated mercurial user account. it
10 * only allows few actions:
10 * only allows few actions:
11 *
11 *
12 * 1. run hg in server mode on specific repository. no other hg commands
12 * 1. run hg in server mode on specific repository. no other hg commands
13 * are allowed. we try to verify that repo to be accessed exists under
13 * are allowed. we try to verify that repo to be accessed exists under
14 * given top-level directory.
14 * given top-level directory.
15 *
15 *
16 * 2. (optional) forward ssh connection from firewall/gateway machine to
16 * 2. (optional) forward ssh connection from firewall/gateway machine to
17 * "real" mercurial host, to let users outside intranet pull and push
17 * "real" mercurial host, to let users outside intranet pull and push
18 * changes through firewall.
18 * changes through firewall.
19 *
19 *
20 * 3. (optional) run normal shell, to allow to "su" to mercurial user, use
20 * 3. (optional) run normal shell, to allow to "su" to mercurial user, use
21 * "sudo" to run programs as that user, or run cron jobs as that user.
21 * "sudo" to run programs as that user, or run cron jobs as that user.
22 *
22 *
23 * only tested on linux yet. patches for non-linux systems welcome.
23 * only tested on linux yet. patches for non-linux systems welcome.
24 */
24 */
25
25
26 #ifndef _GNU_SOURCE
26 #ifndef _GNU_SOURCE
27 #define _GNU_SOURCE /* for asprintf */
27 #define _GNU_SOURCE /* for asprintf */
28 #endif
28 #endif
29
29
30 #include <stdio.h>
30 #include <stdio.h>
31 #include <stdlib.h>
31 #include <stdlib.h>
32 #include <string.h>
32 #include <string.h>
33 #include <sys/stat.h>
33 #include <sys/stat.h>
34 #include <sys/types.h>
34 #include <sys/types.h>
35 #include <sysexits.h>
35 #include <sysexits.h>
36 #include <unistd.h>
36 #include <unistd.h>
37
37
38 /*
38 /*
39 * user config.
39 * user config.
40 *
40 *
41 * if you see a hostname below, just use first part of hostname. example,
41 * if you see a hostname below, just use first part of hostname. example,
42 * if you have host named foo.bar.com, use "foo".
42 * if you have host named foo.bar.com, use "foo".
43 */
43 */
44
44
45 /*
45 /*
46 * HG_GATEWAY: hostname of gateway/firewall machine that people outside your
46 * HG_GATEWAY: hostname of gateway/firewall machine that people outside your
47 * intranet ssh into if they need to ssh to other machines. if you do not
47 * intranet ssh into if they need to ssh to other machines. if you do not
48 * have such machine, set to NULL.
48 * have such machine, set to NULL.
49 */
49 */
50 #ifndef HG_GATEWAY
50 #ifndef HG_GATEWAY
51 #define HG_GATEWAY "gateway"
51 #define HG_GATEWAY "gateway"
52 #endif
52 #endif
53
53
54 /*
54 /*
55 * HG_HOST: hostname of mercurial server. if any machine is allowed, set to
55 * HG_HOST: hostname of mercurial server. if any machine is allowed, set to
56 * NULL.
56 * NULL.
57 */
57 */
58 #ifndef HG_HOST
58 #ifndef HG_HOST
59 #define HG_HOST "mercurial"
59 #define HG_HOST "mercurial"
60 #endif
60 #endif
61
61
62 /*
62 /*
63 * HG_USER: username to log in from HG_GATEWAY to HG_HOST. if gateway and
63 * HG_USER: username to log in from HG_GATEWAY to HG_HOST. if gateway and
64 * host username are same, set to NULL.
64 * host username are same, set to NULL.
65 */
65 */
66 #ifndef HG_USER
66 #ifndef HG_USER
67 #define HG_USER "hg"
67 #define HG_USER "hg"
68 #endif
68 #endif
69
69
70 /*
70 /*
71 * HG_ROOT: root of tree full of mercurial repos. if you do not want to
71 * HG_ROOT: root of tree full of mercurial repos. if you do not want to
72 * validate location of repo when someone is try to access, set to NULL.
72 * validate location of repo when someone is try to access, set to NULL.
73 */
73 */
74 #ifndef HG_ROOT
74 #ifndef HG_ROOT
75 #define HG_ROOT "/home/hg/repos"
75 #define HG_ROOT "/home/hg/repos"
76 #endif
76 #endif
77
77
78 /*
78 /*
79 * HG: path to the mercurial executable to run.
79 * HG: path to the mercurial executable to run.
80 */
80 */
81 #ifndef HG
81 #ifndef HG
82 #define HG "/home/hg/bin/hg"
82 #define HG "/home/hg/bin/hg"
83 #endif
83 #endif
84
84
85 /*
85 /*
86 * HG_SHELL: shell to use for actions like "sudo" and "su" access to
86 * HG_SHELL: shell to use for actions like "sudo" and "su" access to
87 * mercurial user, and cron jobs. if you want to make these things
87 * mercurial user, and cron jobs. if you want to make these things
88 * impossible, set to NULL.
88 * impossible, set to NULL.
89 */
89 */
90 #ifndef HG_SHELL
90 #ifndef HG_SHELL
91 #define HG_SHELL NULL
91 #define HG_SHELL NULL
92 // #define HG_SHELL "/bin/bash"
92 // #define HG_SHELL "/bin/bash"
93 #endif
93 #endif
94
94
95 /*
95 /*
96 * HG_HELP: some way for users to get support if they have problem. if they
96 * HG_HELP: some way for users to get support if they have problem. if they
97 * should not get helpful message, set to NULL.
97 * should not get helpful message, set to NULL.
98 */
98 */
99 #ifndef HG_HELP
99 #ifndef HG_HELP
100 #define HG_HELP "please contact support@example.com for help."
100 #define HG_HELP "please contact support@example.com for help."
101 #endif
101 #endif
102
102
103 /*
103 /*
104 * SSH: path to ssh executable to run, if forwarding from HG_GATEWAY to
104 * SSH: path to ssh executable to run, if forwarding from HG_GATEWAY to
105 * HG_HOST. if you want to use rsh instead (why?), you need to modify
105 * HG_HOST. if you want to use rsh instead (why?), you need to modify
106 * arguments it is called with. see forward_through_gateway.
106 * arguments it is called with. see forward_through_gateway.
107 */
107 */
108 #ifndef SSH
108 #ifndef SSH
109 #define SSH "/usr/bin/ssh"
109 #define SSH "/usr/bin/ssh"
110 #endif
110 #endif
111
111
112 /*
112 /*
113 * tell whether to print command that is to be executed. useful for
113 * tell whether to print command that is to be executed. useful for
114 * debugging. should not interfere with mercurial operation, since
114 * debugging. should not interfere with mercurial operation, since
115 * mercurial only cares about stdin and stdout, and this prints to stderr.
115 * mercurial only cares about stdin and stdout, and this prints to stderr.
116 */
116 */
117 static const int debug = 0;
117 static const int debug = 0;
118
118
119 static void print_cmdline(int argc, char **argv)
119 static void print_cmdline(int argc, char **argv)
120 {
120 {
121 FILE *fp = stderr;
121 FILE *fp = stderr;
122 int i;
122 int i;
123
123
124 fputs("command: ", fp);
124 fputs("command: ", fp);
125
125
126 for (i = 0; i < argc; i++) {
126 for (i = 0; i < argc; i++) {
127 char *spc = strpbrk(argv[i], " \t\r\n");
127 char *spc = strpbrk(argv[i], " \t\r\n");
128 if (spc) {
128 if (spc) {
129 fputc('\'', fp);
129 fputc('\'', fp);
130 }
130 }
131 fputs(argv[i], fp);
131 fputs(argv[i], fp);
132 if (spc) {
132 if (spc) {
133 fputc('\'', fp);
133 fputc('\'', fp);
134 }
134 }
135 if (i < argc - 1) {
135 if (i < argc - 1) {
136 fputc(' ', fp);
136 fputc(' ', fp);
137 }
137 }
138 }
138 }
139 fputc('\n', fp);
139 fputc('\n', fp);
140 fflush(fp);
140 fflush(fp);
141 }
141 }
142
142
143 static void usage(const char *reason, int exitcode)
143 static void usage(const char *reason, int exitcode)
144 {
144 {
145 char *hg_help = HG_HELP;
145 char *hg_help = HG_HELP;
146
146
147 if (reason) {
147 if (reason) {
148 fprintf(stderr, "*** Error: %s.\n", reason);
148 fprintf(stderr, "*** Error: %s.\n", reason);
149 }
149 }
150 fprintf(stderr, "*** This program has been invoked incorrectly.\n");
150 fprintf(stderr, "*** This program has been invoked incorrectly.\n");
151 if (hg_help) {
151 if (hg_help) {
152 fprintf(stderr, "*** %s\n", hg_help);
152 fprintf(stderr, "*** %s\n", hg_help);
153 }
153 }
154 exit(exitcode ? exitcode : EX_USAGE);
154 exit(exitcode ? exitcode : EX_USAGE);
155 }
155 }
156
156
157 /*
157 /*
158 * run on gateway host to make another ssh connection, to "real" mercurial
158 * run on gateway host to make another ssh connection, to "real" mercurial
159 * server. it sends its command line unmodified to far end.
159 * server. it sends its command line unmodified to far end.
160 *
160 *
161 * never called if HG_GATEWAY is NULL.
161 * never called if HG_GATEWAY is NULL.
162 */
162 */
163 static void forward_through_gateway(int argc, char **argv)
163 static void forward_through_gateway(int argc, char **argv)
164 {
164 {
165 char *ssh = SSH;
165 char *ssh = SSH;
166 char *hg_host = HG_HOST;
166 char *hg_host = HG_HOST;
167 char *hg_user = HG_USER;
167 char *hg_user = HG_USER;
168 char **nargv = alloca((10 + argc) * sizeof(char *));
168 char **nargv = alloca((10 + argc) * sizeof(char *));
169 int i = 0, j;
169 int i = 0, j;
170
170
171 nargv[i++] = ssh;
171 nargv[i++] = ssh;
172 nargv[i++] = "-q";
172 nargv[i++] = "-q";
173 nargv[i++] = "-T";
173 nargv[i++] = "-T";
174 nargv[i++] = "-x";
174 nargv[i++] = "-x";
175 if (hg_user) {
175 if (hg_user) {
176 nargv[i++] = "-l";
176 nargv[i++] = "-l";
177 nargv[i++] = hg_user;
177 nargv[i++] = hg_user;
178 }
178 }
179 nargv[i++] = hg_host;
179 nargv[i++] = hg_host;
180
180
181 /*
181 /*
182 * sshd called us with added "-c", because it thinks we are a shell.
182 * sshd called us with added "-c", because it thinks we are a shell.
183 * drop it if we find it.
183 * drop it if we find it.
184 */
184 */
185 j = 1;
185 j = 1;
186 if (j < argc && strcmp(argv[j], "-c") == 0) {
186 if (j < argc && strcmp(argv[j], "-c") == 0) {
187 j++;
187 j++;
188 }
188 }
189
189
190 for (; j < argc; i++, j++) {
190 for (; j < argc; i++, j++) {
191 nargv[i] = argv[j];
191 nargv[i] = argv[j];
192 }
192 }
193 nargv[i] = NULL;
193 nargv[i] = NULL;
194
194
195 if (debug) {
195 if (debug) {
196 print_cmdline(i, nargv);
196 print_cmdline(i, nargv);
197 }
197 }
198
198
199 execv(ssh, nargv);
199 execv(ssh, nargv);
200 perror(ssh);
200 perror(ssh);
201 exit(EX_UNAVAILABLE);
201 exit(EX_UNAVAILABLE);
202 }
202 }
203
203
204 /*
204 /*
205 * run shell. let administrator "su" to mercurial user's account to do
205 * run shell. let administrator "su" to mercurial user's account to do
206 * administrative works.
206 * administrative works.
207 *
207 *
208 * never called if HG_SHELL is NULL.
208 * never called if HG_SHELL is NULL.
209 */
209 */
210 static void run_shell(int argc, char **argv)
210 static void run_shell(int argc, char **argv)
211 {
211 {
212 char *hg_shell = HG_SHELL;
212 char *hg_shell = HG_SHELL;
213 char **nargv;
213 char **nargv;
214 char *c;
214 char *c;
215 int i;
215 int i;
216
216
217 nargv = alloca((argc + 3) * sizeof(char *));
217 nargv = alloca((argc + 3) * sizeof(char *));
218 c = strrchr(hg_shell, '/');
218 c = strrchr(hg_shell, '/');
219
219
220 /* tell "real" shell it is login shell, if needed. */
220 /* tell "real" shell it is login shell, if needed. */
221
221
222 if (argv[0][0] == '-' && c) {
222 if (argv[0][0] == '-' && c) {
223 nargv[0] = strdup(c);
223 nargv[0] = strdup(c);
224 if (nargv[0] == NULL) {
224 if (nargv[0] == NULL) {
225 perror("malloc");
225 perror("malloc");
226 exit(EX_OSERR);
226 exit(EX_OSERR);
227 }
227 }
228 nargv[0][0] = '-';
228 nargv[0][0] = '-';
229 } else {
229 } else {
230 nargv[0] = hg_shell;
230 nargv[0] = hg_shell;
231 }
231 }
232
232
233 for (i = 1; i < argc; i++) {
233 for (i = 1; i < argc; i++) {
234 nargv[i] = argv[i];
234 nargv[i] = argv[i];
235 }
235 }
236 nargv[i] = NULL;
236 nargv[i] = NULL;
237
237
238 if (debug) {
238 if (debug) {
239 print_cmdline(i, nargv);
239 print_cmdline(i, nargv);
240 }
240 }
241
241
242 execv(hg_shell, nargv);
242 execv(hg_shell, nargv);
243 perror(hg_shell);
243 perror(hg_shell);
244 exit(EX_OSFILE);
244 exit(EX_OSFILE);
245 }
245 }
246
246
247 enum cmdline {
247 enum cmdline {
248 hg_init,
248 hg_init,
249 hg_serve,
249 hg_serve,
250 };
250 };
251
251
252
252
253 /*
253 /*
254 * attempt to verify that a directory is really a hg repo, by testing
255 * for the existence of a subdirectory.
256 */
257 static int validate_repo(const char *repo_root, const char *subdir)
258 {
259 char *abs_path;
260 struct stat st;
261 int ret;
262
263 if (asprintf(&abs_path, "%s.hg/%s", repo_root, subdir) == -1) {
264 ret = -1;
265 goto bail;
266 }
267
268 /* verify that we really are looking at valid repo. */
269
270 if (stat(abs_path, &st) == -1) {
271 ret = 0;
272 } else {
273 ret = 1;
274 }
275
276 bail:
277 return ret;
278 }
279
280 /*
254 * paranoid wrapper, runs hg executable in server mode.
281 * paranoid wrapper, runs hg executable in server mode.
255 */
282 */
256 static void serve_data(int argc, char **argv)
283 static void serve_data(int argc, char **argv)
257 {
284 {
258 char *hg_root = HG_ROOT;
285 char *hg_root = HG_ROOT;
259 char *repo, *repo_root;
286 char *repo, *repo_root;
260 enum cmdline cmd;
287 enum cmdline cmd;
261 char *nargv[6];
288 char *nargv[6];
262 struct stat st;
263 size_t repolen;
289 size_t repolen;
264 int i;
290 int i;
265
291
266 /*
292 /*
267 * check argv for looking okay. we should be invoked with argv
293 * check argv for looking okay. we should be invoked with argv
268 * resembling like this:
294 * resembling like this:
269 *
295 *
270 * hgsh
296 * hgsh
271 * -c
297 * -c
272 * hg -R some/path serve --stdio
298 * hg -R some/path serve --stdio
273 *
299 *
274 * the "-c" is added by sshd, because it thinks we are login shell.
300 * the "-c" is added by sshd, because it thinks we are login shell.
275 */
301 */
276
302
277 if (argc != 3) {
303 if (argc != 3) {
278 goto badargs;
304 goto badargs;
279 }
305 }
280
306
281 if (strcmp(argv[1], "-c") != 0) {
307 if (strcmp(argv[1], "-c") != 0) {
282 goto badargs;
308 goto badargs;
283 }
309 }
284
310
285 if (sscanf(argv[2], "hg init %as", &repo) == 1) {
311 if (sscanf(argv[2], "hg init %as", &repo) == 1) {
286 cmd = hg_init;
312 cmd = hg_init;
287 }
313 }
288 else if (sscanf(argv[2], "hg -R %as serve --stdio", &repo) == 1) {
314 else if (sscanf(argv[2], "hg -R %as serve --stdio", &repo) == 1) {
289 cmd = hg_serve;
315 cmd = hg_serve;
290 } else {
316 } else {
291 goto badargs;
317 goto badargs;
292 }
318 }
293
319
294 repolen = repo ? strlen(repo) : 0;
320 repolen = repo ? strlen(repo) : 0;
295
321
296 if (repolen == 0) {
322 if (repolen == 0) {
297 goto badargs;
323 goto badargs;
298 }
324 }
299
325
300 if (hg_root) {
326 if (hg_root) {
301 if (asprintf(&repo_root, "%s/%s/", hg_root, repo) == -1) {
327 if (asprintf(&repo_root, "%s/%s/", hg_root, repo) == -1) {
302 goto badargs;
328 goto badargs;
303 }
329 }
304
330
305 /*
331 /*
306 * attempt to stop break out from inside the repository tree. could
332 * attempt to stop break out from inside the repository tree. could
307 * do something more clever here, because e.g. we could traverse a
333 * do something more clever here, because e.g. we could traverse a
308 * symlink that looks safe, but really breaks us out of tree.
334 * symlink that looks safe, but really breaks us out of tree.
309 */
335 */
310
336
311 if (strstr(repo_root, "/../") != NULL) {
337 if (strstr(repo_root, "/../") != NULL) {
312 goto badargs;
338 goto badargs;
313 }
339 }
314
340
315 /* only hg init expects no repo. */
341 /* only hg init expects no repo. */
316
342
317 if (cmd != hg_init) {
343 if (cmd != hg_init) {
318 char *abs_path;
344 int valid;
319
345
320 if (asprintf(&abs_path, "%s.hg/data", repo_root) == -1) {
346 valid = validate_repo(repo_root, "data");
347
348 if (valid == -1) {
321 goto badargs;
349 goto badargs;
322 }
350 }
323
351
324 /* verify that we really are looking at valid repo. */
352 if (valid == 0) {
353 valid = validate_repo(repo_root, "store");
325
354
326 if (stat(abs_path, &st) == -1) {
355 if (valid == -1) {
356 goto badargs;
357 }
358 }
359
360 if (valid == 0) {
327 perror(repo);
361 perror(repo);
328 exit(EX_DATAERR);
362 exit(EX_DATAERR);
329 }
363 }
330 }
364 }
331
365
332 if (chdir(hg_root) == -1) {
366 if (chdir(hg_root) == -1) {
333 perror(hg_root);
367 perror(hg_root);
334 exit(EX_SOFTWARE);
368 exit(EX_SOFTWARE);
335 }
369 }
336 }
370 }
337
371
338 i = 0;
372 i = 0;
339
373
340 switch (cmd) {
374 switch (cmd) {
341 case hg_serve:
375 case hg_serve:
342 nargv[i++] = HG;
376 nargv[i++] = HG;
343 nargv[i++] = "-R";
377 nargv[i++] = "-R";
344 nargv[i++] = repo;
378 nargv[i++] = repo;
345 nargv[i++] = "serve";
379 nargv[i++] = "serve";
346 nargv[i++] = "--stdio";
380 nargv[i++] = "--stdio";
347 break;
381 break;
348 case hg_init:
382 case hg_init:
349 nargv[i++] = HG;
383 nargv[i++] = HG;
350 nargv[i++] = "init";
384 nargv[i++] = "init";
351 nargv[i++] = repo;
385 nargv[i++] = repo;
352 break;
386 break;
353 }
387 }
354
388
355 nargv[i] = NULL;
389 nargv[i] = NULL;
356
390
357 if (debug) {
391 if (debug) {
358 print_cmdline(i, nargv);
392 print_cmdline(i, nargv);
359 }
393 }
360
394
361 execv(HG, nargv);
395 execv(HG, nargv);
362 perror(HG);
396 perror(HG);
363 exit(EX_UNAVAILABLE);
397 exit(EX_UNAVAILABLE);
364
398
365 badargs:
399 badargs:
366 /* print useless error message. */
400 /* print useless error message. */
367
401
368 usage("invalid arguments", EX_DATAERR);
402 usage("invalid arguments", EX_DATAERR);
369 }
403 }
370
404
371 int main(int argc, char **argv)
405 int main(int argc, char **argv)
372 {
406 {
373 char host[1024];
407 char host[1024];
374 char *c;
408 char *c;
375
409
376 if (gethostname(host, sizeof(host)) == -1) {
410 if (gethostname(host, sizeof(host)) == -1) {
377 perror("gethostname");
411 perror("gethostname");
378 exit(EX_OSERR);
412 exit(EX_OSERR);
379 }
413 }
380
414
381 if ((c = strchr(host, '.')) != NULL) {
415 if ((c = strchr(host, '.')) != NULL) {
382 *c = '\0';
416 *c = '\0';
383 }
417 }
384
418
385 if (getenv("SSH_CLIENT")) {
419 if (getenv("SSH_CLIENT")) {
386 char *hg_gateway = HG_GATEWAY;
420 char *hg_gateway = HG_GATEWAY;
387 char *hg_host = HG_HOST;
421 char *hg_host = HG_HOST;
388
422
389 if (hg_gateway && strcmp(host, hg_gateway) == 0) {
423 if (hg_gateway && strcmp(host, hg_gateway) == 0) {
390 forward_through_gateway(argc, argv);
424 forward_through_gateway(argc, argv);
391 }
425 }
392
426
393 if (hg_host && strcmp(host, hg_host) != 0) {
427 if (hg_host && strcmp(host, hg_host) != 0) {
394 usage("invoked on unexpected host", EX_USAGE);
428 usage("invoked on unexpected host", EX_USAGE);
395 }
429 }
396
430
397 serve_data(argc, argv);
431 serve_data(argc, argv);
398 } else if (HG_SHELL) {
432 } else if (HG_SHELL) {
399 run_shell(argc, argv);
433 run_shell(argc, argv);
400 } else {
434 } else {
401 usage("invalid arguments", EX_DATAERR);
435 usage("invalid arguments", EX_DATAERR);
402 }
436 }
403
437
404 return 0;
438 return 0;
405 }
439 }
General Comments 0
You need to be logged in to leave comments. Login now