x
/
third-party-ci-tools
Code Issues Proposed changes

Restrict commands allowed by fc passthrough key 

Currently the fc passthrough key will allow the vm host
to run any command on the hypervisor. Instead, restrict the
commands to just what is needed.

Change-Id: I210d646c4155d526912d9bee3865d239e08d5de4
This commit is contained in:
Ramy Asselin 2015-09-23 11:18:28 -07:00
parent 22c5f17d19
commit 6f0134e084
1 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
provisioning_scripts/fibre_channel/fc_commands.sh Executable file
View File

@ -0,0 +1,50 @@
#!/bin/bash
# Copyright (C) 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
# This script is to restrict which commands the FC passthrough is allowed
# to run using its key.
# To use it, copy it to /usr/local/bin/fc_commands.sh
# Then update the user's .ssh/authorize key file with the following line:
# command="/usr/local/bin/fc_commands.sh",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa <fc-passthrough-public-key> fc-passthrough
#
# If you override the default values for some parameters in the
# invoke_fc_passthrough.sh script, you will need to update the
# list of ALLOWED_CMDS. For example: PROVIDER_RC & FC_PCI_VAR_NAME.
# This script assumes the default values.
SSH_ORIGINAL_COMMAND=${SSH_ORIGINAL_COMMAND:-$1}
IFS=$'\n'
ALLOWED_CMDS="
^source keystonerc_jenkins \&\& nova list$
^source keystonerc_jenkins \&\& nova show [a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+$
^virsh nodedev-dettach pci_0000_[02][51]_00_[23]$
^scp -t /tmp/$
^virsh attach-device instance-[0-9a-f]* /tmp/tmp.*_fcoe.xml$
^echo \\\$fc_pci_device$"
#Don't allow any sudo commands
if [[ ! $SSH_ORIGINAL_COMMAND =~ sudo ]]; then
for CMD in $ALLOWED_CMDS
do
if [[ $SSH_ORIGINAL_COMMAND =~ $CMD ]]; then
eval $SSH_ORIGINAL_COMMAND
# exit with the invoked command's return code for benefit of the caller
exit $?
fi
done
fi