public
Created

  • Download Gist
gistfile1.pl
Perl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
#!/usr/bin/env perl
# -*- perl -*-
 
# location of the server-side scp we want to run
$scp_server = "/usr/bin/scp";
 
sub fail {
my ($msg) = @_;
print STDERR $msg, "\n";
exit 1;
}
 
# This just makes me feel better.
 
$TRUE = (0 == 0);
$FALSE = (0 == 1);
 
# Since this script is called as a forced command, need to get the
# original scp command given by the client.
 
($command = $ENV{SSH_ORIGINAL_COMMAND})
|| fail;
 
# Split the command string to make an argument list, and remove the first
# element (the command name; we'll supply our own);
 
@scp_argv = split /[ \t]+/, $command;
 
# Complain if the command is not "scp".
 
fail "account restricted: only scp is allowed"
unless $scp_argv[0] eq "scp";
 
# Wipe the environment as a security precaution. This might conceivably
# break something, but if it does you can filter the environment more
# selectively here.
 
%ENV = ();
 
# Ensure that either -t or -f is on the command line, to enforce running
# scp in server mode.
 
$ok = $FALSE;
foreach $arg (@scp_argv) {
if ($arg eq '-t' || $arg eq '-f') {
$ok = $TRUE;
last;
}
}
 
fail "Restricted; only server mode allowed."
unless $ok;
 
# if we're OK, run our desired "scp" with arguments.
 
shift(@scp_argv);
exec($scp_server, @scp_argv);

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.