#!/bin/sh

   ###########################################################
  #                                                          #
 #           Written 6/20/08 by Jeff Schroeder             # #
###########################################################  #
#                                                         #  #
# ssh-trigger-verify - Verify a command is allowed to be  #  #
#                      run on the server when used in     #  #
#                      conjunction with ssh triggers      #  #
#                                                         # #
###########################################################
# $Id$

# Originally based on the script below. Extended to block more attacks
# http://troy.jdmz.net/rsync/index.html

# Also see ssh(1) and search for command=

CONFIG_FILE='/etc/ssh-trigger-verify.conf'
log_and_die() {
   logger -t "$(basename $0)" "Command not allowed: \"$SSH_ORIGINAL_COMMAND\""
   exit 1
}

# Protect against basic attacks and then run the command
case "$SSH_ORIGINAL_COMMAND" in
    # Running embedded commands could be bad
    *\`*)
        log_and_die
    ;;
    # echo "$(evil-command)" aka same as above
    *\$\(*)
        log_and_die
    ;;
    # command1 && evil-command-2
    *\&\&*)
        log_and_die
    ;;
    # command 1 || evil-command-3
    *\|\|*)
        log_and_die
    ;;
    # No subshells
    *\(*)
        log_and_die
    ;;
    # Same as above
    *\{*)
        log_and_die
    ;;
    # Chaining multiple commands
    *\;*)
        log_and_die
    ;;
    # Reading files via stdin
    *\<*)
        log_and_die
    ;;
    *)
        # Is the command attempted to be ran allowed?
        if (grep -q "^${SSH_ORIGINAL_COMMAND}$" $CONFIG_FILE 2>/dev/null); then
            $SSH_ORIGINAL_COMMAND
        else
            log_and_die
        fi
    ;;
esac