#!/bin/sh

# Copyright 2004 River of Stars, LLC
# Copyright 2004 University Corporation for Atmospheric Research

# $Id: restrictrsyncpush.sh,v 1.1 2004/02/18 06:30:10 rjohnson Exp $

# install this as the forced command in an ssh authorized key
# to allow only rsync pushes when authenticated via that key

# additional recommended options on the key:
#   no-port-forwarding,no-X11-forwarding,no-agent-forwarding,
#   no-pty,from="host-to-be-backed-up.example.com"
# and of course
#   command="restrictrsyncpush.sh"

# Brian Hatch has a good tutorial for this feature:
#   http://www.hackinglinuxexposed.com/articles/20030109.html
#     also http://www.landfield.com/isn/mail-archive/2003/Jan/0049.html
#     also http://seclists.org/lists/isn/2003/Jan/0050.html
# He's also extended and generalized it with a configurable
# wrapper if you don't mind cranking out a Perl instance
#   http://www.hackinglinuxexposed.com/articles/20030115.html
#   http://www.hackinglinuxexposed.com/tools/authprogs/

# The command resulting from
# 'rsync -[v]*a[z] target.example.com:/rpath/bar /path/foo' will be:
#   rsync --server --sender -[v]*logDtpr[z] . /rpath/bar

# disallow '--sender' option (which is used for rsync push)
if echo $SSH_ORIGINAL_COMMAND | grep '\-\-sender' > /dev/null; then
	logger -i -s -p auth.notice -t restrictrsyncpush \
	   "rsync push process attempted to pull data from destination using command: $SSH_ORIGINAL_COMMAND";
	exit 1;
fi

# ensure original command starts with proper rsync details
# (not yet checked: path syntax, presence of proper options like --delete, --partial)
if echo $SSH_ORIGINAL_COMMAND | grep \
   '^rsync \-\-server \-[v]*logDtpr[z] ' \
   > /dev/null; then
	logger -i -p auth.info -t restrictrsyncpush \
	   "rsync push process executing command: $SSH_ORIGINAL_COMMAND";
	exec $SSH_ORIGINAL_COMMAND
	exit 0;
else
	logger -i -s -p auth.warn -t restrictrsyncpush \
	   "rsync push process improper command: $SSH_ORIGINAL_COMMAND";
	exit 1;
fi

# NOTREACHED
exit 1;