commit dfc2315d693b6e4b538b1a54e4c5b55440c05ad0
parent 8d339fbd84cdcdbdf0693a41618d77876325b708
Author: Matthias Jaros <jaros@mailbox.org>
Date: Mon, 27 Oct 2025 10:27:47 +0100
Added banner and renamed run script to git-run
Diffstat:
6 files changed, 56 insertions(+), 51 deletions(-)
diff --git a/Dockerfile b/Dockerfile
@@ -11,9 +11,11 @@ COPY src/sudo-git /etc/sudoers.d/
# copy scrips
COPY src/env /usr/local/bin/
COPY src/init /usr/local/bin/
-COPY src/run /usr/local/bin/
+COPY src/git-run /usr/local/bin/
RUN chmod 755 /usr/local/bin/env
RUN chmod 755 /usr/local/bin/init
-RUN chmod 755 /usr/local/bin/run
+RUN chmod 755 /usr/local/bin/git-run
+
+COPY src/version /usr/local/bin/
ENTRYPOINT ["/usr/local/bin/init"]
diff --git a/src/git-run b/src/git-run
@@ -0,0 +1,45 @@
+#!/usr/bin/env fish
+
+# load environment
+source (dirname (status --current-filename))/env
+
+set -l gitCommand
+set -l repoDir
+
+# redirect stdout/stderr to file, no information to potential attacker
+begin
+ # check given git command
+ # basic form is <git-command> '<path-to-repo>'
+ set -l currentUser (whoami)
+ set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX -- "$argv")
+ if test (count $matcher) -ne 2
+ echo "$(date -Is): DENY bad_format user=$currentUser ip=$SSH_CONNECTION argv=$argv"
+ exit 1
+ end
+
+ # extract variables from git command
+ set gitCommand $matcher[1]
+ set -l repo $matcher[2]
+
+ # adjust repo path to /srv/repos
+ set repoDir /(string join -n '/' srv repos (string split '/' $repo))
+
+ # check if realPath is in jail under /srv/repos
+ set -l realPath (realpath $repoDir)
+ if not string match -r -q -- "/srv/repos/.*" "$realPath"
+ echo "$(date -Is): DENY jail_escape user=$currentUser ip=$SSH_CONNECTION realPath=$realPath argv=$argv"
+ exit 2
+ end
+
+ # check for permissions
+ if not cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$currentUser\$"
+ echo "$(date -Is): DENY no_permissions user=$currentUser ip=$SSH_CONNECTION argv=$argv"
+ exit 3
+ end
+
+ # info logging
+ echo "$(date -Is): ALLOW ok user=$currentUser ip=$SSH_CONNECTION argv=$argv"
+end &>>$_LOG
+
+# execute parsed git command
+/usr/bin/sudo -u git /usr/bin/git-shell -c "$gitCommand '$repoDir'"
+\ No newline at end of file
diff --git a/src/init b/src/init
@@ -2,6 +2,7 @@
# load environment
source (dirname (status --current-filename))/env
+set VERSION (cat (dirname (status --current-filename))/version)
#
#
@@ -34,7 +35,7 @@ function createUser
# add user to sudo group
addgroup "$user" $_GIT_SUDO_GROUP
# unlock account to allow ssh logins
- passwd -u "$user"
+ passwd -u "$user" &>/dev/null
mkdir "$HOME/.ssh"
echo "$key" > "$HOME/.ssh/authorized_keys"
chown -R $user "$HOME"
@@ -124,7 +125,7 @@ function showBanner
|___/
'
echo
- echo Copyright Matthias Jaros 2025
+ echo Version $VERSION Copyright Matthias Jaros 2025
echo
end
diff --git a/src/run b/src/run
@@ -1,45 +0,0 @@
-#!/usr/bin/env fish
-
-# load environment
-source (dirname (status --current-filename))/env
-
-set -l gitCommand
-set -l repoDir
-
-# redirect stdout/stderr to file, no information to potential attacker
-begin
- # check given git command
- # basic form is <git-command> '<path-to-repo>'
- set -l currentUser (whoami)
- set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX -- "$argv")
- if test (count $matcher) -ne 2
- echo "$(date -Is): DENY bad_format user=$currentUser ip=$SSH_CONNECTION argv=$argv"
- exit 1
- end
-
- # extract variables from git command
- set gitCommand $matcher[1]
- set -l repo $matcher[2]
-
- # adjust repo path to /srv/repos
- set repoDir /(string join -n '/' srv repos (string split '/' $repo))
-
- # check if realPath is in jail under /srv/repos
- set -l realPath (realpath $repoDir)
- if not string match -r -q -- "/srv/repos/.*" "$realPath"
- echo "$(date -Is): DENY jail_escape user=$currentUser ip=$SSH_CONNECTION realPath=$realPath argv=$argv"
- exit 2
- end
-
- # check for permissions
- if not cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$currentUser\$"
- echo "$(date -Is): DENY no_permissions user=$currentUser ip=$SSH_CONNECTION argv=$argv"
- exit 3
- end
-
- # info logging
- echo "$(date -Is): ALLOW user=$currentUser ip=$SSH_CONNECTION argv=$argv"
-end &>>$_LOG
-
-# execute parsed git command
-/usr/bin/sudo -u git /usr/bin/git-shell -c "$gitCommand '$repoDir'"
-\ No newline at end of file
diff --git a/src/ssh.conf b/src/ssh.conf
@@ -18,7 +18,7 @@ SyslogFacility AUTH
LogLevel INFO
# Force run script that checks for permissions and runs sudo
-ForceCommand /usr/local/bin/run "$SSH_ORIGINAL_COMMAND"
+ForceCommand /usr/local/bin/git-run "$SSH_ORIGINAL_COMMAND"
# git user has access to EVERYTHING. no login should be possible
DenyUsers git
diff --git a/src/version b/src/version
@@ -0,0 +1 @@
+1.0
+\ No newline at end of file