Skip to content

@elebertus /gist:2347722
Created

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
#!/usr/bin/env perl
# -*- perl -*-
# location of the server-side scp we want to run
$scp_server = "/usr/bin/scp";
sub fail {
my ($msg) = @_;
print STDERR $msg, "\n";
exit 1;
}
# This just makes me feel better.
$TRUE = (0 == 0);
$FALSE = (0 == 1);
# Since this script is called as a forced command, need to get the
# original scp command given by the client.
($command = $ENV{SSH_ORIGINAL_COMMAND})
|| fail;
# Split the command string to make an argument list, and remove the first
# element (the command name; we'll supply our own);
@scp_argv = split /[ \t]+/, $command;
# Complain if the command is not "scp".
fail "account restricted: only scp is allowed"
unless $scp_argv[0] eq "scp";
# Wipe the environment as a security precaution. This might conceivably
# break something, but if it does you can filter the environment more
# selectively here.
%ENV = ();
# Ensure that either -t or -f is on the command line, to enforce running
# scp in server mode.
$ok = $FALSE;
foreach $arg (@scp_argv) {
if ($arg eq '-t' || $arg eq '-f') {
$ok = $TRUE;
last;
}
}
fail "Restricted; only server mode allowed."
unless $ok;
# if we're OK, run our desired "scp" with arguments.
shift(@scp_argv);
exec($scp_server, @scp_argv);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.