From f89d943fc55e7d9bf4fd197fa0e2cb6500952ce4 Mon Sep 17 00:00:00 2001 From: Matthias Lucas Jaros Date: Mon, 27 Oct 2025 10:27:47 +0100 Subject: Added banner and renamed run script to git-run --- src/run | 45 --------------------------------------------- 1 file changed, 45 deletions(-) delete mode 100755 src/run (limited to 'src/run') diff --git a/src/run b/src/run deleted file mode 100755 index 51d912c..0000000 --- a/src/run +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env fish - -# load environment -source (dirname (status --current-filename))/env - -set -l gitCommand -set -l repoDir - -# redirect stdout/stderr to file, no information to potential attacker -begin - # check given git command - # basic form is '' - set -l currentUser (whoami) - set -l matcher (string match -r -g $_GIT_VALIDATION_REGEX -- "$argv") - if test (count $matcher) -ne 2 - echo "$(date -Is): DENY bad_format user=$currentUser ip=$SSH_CONNECTION argv=$argv" - exit 1 - end - - # extract variables from git command - set gitCommand $matcher[1] - set -l repo $matcher[2] - - # adjust repo path to /srv/repos - set repoDir /(string join -n '/' srv repos (string split '/' $repo)) - - # check if realPath is in jail under /srv/repos - set -l realPath (realpath $repoDir) - if not string match -r -q -- "/srv/repos/.*" "$realPath" - echo "$(date -Is): DENY jail_escape user=$currentUser ip=$SSH_CONNECTION realPath=$realPath argv=$argv" - exit 2 - end - - # check for permissions - if not cat $_REPO_PERMISSIONS_FILE | grep -q -E "^$repoDir:$currentUser\$" - echo "$(date -Is): DENY no_permissions user=$currentUser ip=$SSH_CONNECTION argv=$argv" - exit 3 - end - - # info logging - echo "$(date -Is): ALLOW user=$currentUser ip=$SSH_CONNECTION argv=$argv" -end &>>$_LOG - -# execute parsed git command -/usr/bin/sudo -u git /usr/bin/git-shell -c "$gitCommand '$repoDir'" \ No newline at end of file -- cgit v1.3.1