diff options
| author | 2025-10-19 11:25:21 +0200 | |
|---|---|---|
| committer | 2025-10-19 11:25:21 +0200 | |
| commit | 40fa1d2fbd1e5feb9e0f8228288c9fb5e031932d (patch) | |
| tree | f303d9f8ca98da8f37115ad780e62afe7295e277 | |
| parent | 69ce1bb94cbf651327bee1cc10157b578c88a279 (diff) | |
It works, permission check missing
| -rw-r--r-- | Dockerfile | 11 | ||||
| -rw-r--r-- | docker-compose.yml | 4 | ||||
| -rwxr-xr-x | init | 54 | ||||
| -rwxr-xr-x | run | 47 | ||||
| -rw-r--r-- | ssh.conf | 10 | ||||
| -rw-r--r-- | sudo-git | 2 |
6 files changed, 75 insertions, 53 deletions
@@ -1,9 +1,16 @@ FROM alpine -RUN apk add --no-cache openssh-server fish git +RUN apk add --no-cache openssh-server fish git sudo # Modified ssh conf with disabled root login and no password authentication COPY ssh.conf /etc/ssh/sshd_config.d/ +COPY sudo-git /etc/sudoers.d/ +# required for permission check COPY run /usr/local/bin/ RUN chmod +x /usr/local/bin/run -ENTRYPOINT ["/usr/local/bin/run"] + +# required for starting +COPY init /usr/local/bin/ +RUN chmod +x /usr/local/bin/init +ENTRYPOINT ["/usr/local/bin/init"] + diff --git a/docker-compose.yml b/docker-compose.yml index fa8f5d7..6327962 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,9 +9,9 @@ services: restart: no command: - "--users" - - test + - pass,yolo - "--repos" - - pass:test + - pass:pass volumes: - ./keys:/var/keys - ./repos:/srv/repos @@ -0,0 +1,54 @@ +#!/usr/bin/env fish + +argparse 'u/users=+' 'r/repos=+' -- $argv +or exit 1; + +# setup git user +adduser git -D --shell "/usr/bin/git-shell" + +# create users and copy keys in correct location, set permissions +for user in (string split ',' $_flag_u) + echo "Setting up user: $user" + if [ "$user" = git ] + echo "Denied because user git is reserved" + continue + end + + set -l HOME "/home/$user" + # user is not restricted, this is done in ssh config with forceCommand + # we need to be able to run a fish script to check for permissions + adduser --home $HOME -D "$user" + passwd -u "$user" + mkdir "$HOME/.ssh" + cp "/var/keys/$user/authorized_keys" "$HOME/.ssh/" + chown -R $user "$HOME" + chmod -R 700 "$HOME" +end + +for repoConfig in (string split ',' $_flag_r) + set -l parsedConfig (string split ':' $repoConfig) + set -l repo $parsedConfig[1] + + # we assume all repos to be in /srv/repos + set -l repoDir "/srv/repos/$repo.git" + echo "Setting up repo: $repo" + + # write user as allowed into permission file + for user in $parsedConfig[2..] + echo "$repo:$user" >> /srv/repos/permissions + end + + # setup repo dir + if not test -d $repoDir + mkdir -p $repoDir + git init --bare $repoDir -b trunk + end + chown -R git:git "$repoDir" + chmod -R 700 "$repoDir" +end + +echo "Setting up server" +# generate host keys in case +mkdir -p /var/keys/etc/ssh/ && ssh-keygen -A -f /var/keys +# run ssh daemon +/usr/sbin/sshd -D -e @@ -1,45 +1,8 @@ #!/usr/bin/env fish -argparse 'u/users=+' 'r/repos=+' -- $argv -or exit 1; +# echo check for permissions +set -l USER (whoami) +#cat /srv/repos/permission | grep -E "^ -# create users and copy keys in correct location, set permissions -for user in (string split ',' $_flag_u) - echo "Setting up user: $user" - set -l HOME "/home/$user" - adduser --home $HOME -D "$user" --shell "/usr/bin/git-shell" - passwd -u "$user" - mkdir "$HOME/.ssh" - cp "/var/keys/$user/authorized_keys" "$HOME/.ssh/" - chown -R $user "$HOME" - chmod -R 700 "$HOME" -end - -for repoConfig in (string split ',' $_flag_r) - set -l parsedConfig (string split ':' $repoConfig) - set -l repo $parsedConfig[1] - - # we assume all repos to be in /srv/repos - set -l repoDir "/srv/repos/$repo" - echo "Setting up repo: $repo" - addgroup "$repo" - - # assign groups to user - for user in $parsedConfig[2..] - adduser "$user" "$repo" - id "$user" - end - - # setup repo dir - if not test -d $repoDir - mkdir -p $repoDir - git init --bare $repoDir -b trunk - end - chgrp -R "$repo" "$repoDir" -end - -echo "Setting up server" -# generate host keys in case -mkdir -p /var/keys/etc/ssh/ && ssh-keygen -A -f /var/keys -# run ssh daemon -/usr/sbin/sshd -D -e +# run command +/usr/bin/sudo -u git /usr/bin/git-shell -c "$argv" @@ -10,11 +10,7 @@ SyslogFacility AUTH LogLevel INFO PermitTTY no -#AllowAgentForwarding yes +AllowAgentForwarding no -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# PermitTTY no -# ForceCommand cvs server +# Force our run script that checks for permissions and runs sudo +ForceCommand /usr/local/bin/run "$SSH_ORIGINAL_COMMAND" diff --git a/sudo-git b/sudo-git new file mode 100644 index 0000000..6a5fc22 --- /dev/null +++ b/sudo-git @@ -0,0 +1,2 @@ +Defaults:pass !requiretty +pass ALL=(git) NOPASSWD: /usr/bin/git-shell |
