From 6f0134e084d22c2dca5efbfbf3a20fc5f26b4198 Mon Sep 17 00:00:00 2001 From: Ramy Asselin Date: Wed, 23 Sep 2015 11:18:28 -0700 Subject: [PATCH] Restrict commands allowed by fc passthrough key Currently the fc passthrough key will allow the vm host to run any command on the hypervisor. Instead, restrict the commands to just what is needed. Change-Id: I210d646c4155d526912d9bee3865d239e08d5de4 --- .../fibre_channel/fc_commands.sh | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100755 provisioning_scripts/fibre_channel/fc_commands.sh diff --git a/provisioning_scripts/fibre_channel/fc_commands.sh b/provisioning_scripts/fibre_channel/fc_commands.sh new file mode 100755 index 0000000..dbf5bef --- /dev/null +++ b/provisioning_scripts/fibre_channel/fc_commands.sh @@ -0,0 +1,50 @@ +#!/bin/bash + +# Copyright (C) 2015 Hewlett-Packard Development Company, L.P. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# +# See the License for the specific language governing permissions and +# limitations under the License. + +# This script is to restrict which commands the FC passthrough is allowed +# to run using its key. +# To use it, copy it to /usr/local/bin/fc_commands.sh +# Then update the user's .ssh/authorize key file with the following line: +# command="/usr/local/bin/fc_commands.sh",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa fc-passthrough +# +# If you override the default values for some parameters in the +# invoke_fc_passthrough.sh script, you will need to update the +# list of ALLOWED_CMDS. For example: PROVIDER_RC & FC_PCI_VAR_NAME. +# This script assumes the default values. + +SSH_ORIGINAL_COMMAND=${SSH_ORIGINAL_COMMAND:-$1} +IFS=$'\n' +ALLOWED_CMDS=" +^source keystonerc_jenkins \&\& nova list$ +^source keystonerc_jenkins \&\& nova show [a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+$ +^virsh nodedev-dettach pci_0000_[02][51]_00_[23]$ +^scp -t /tmp/$ +^virsh attach-device instance-[0-9a-f]* /tmp/tmp.*_fcoe.xml$ +^echo \\\$fc_pci_device$" + +#Don't allow any sudo commands +if [[ ! $SSH_ORIGINAL_COMMAND =~ sudo ]]; then + for CMD in $ALLOWED_CMDS + do + if [[ $SSH_ORIGINAL_COMMAND =~ $CMD ]]; then + eval $SSH_ORIGINAL_COMMAND + # exit with the invoked command's return code for benefit of the caller + exit $? + fi + done +fi