Create a gist now

Instantly share code, notes, and snippets.

#!/usr/bin/env perl
# -*- perl -*-
# location of the server-side scp we want to run
$scp_server = "/usr/bin/scp";
sub fail {
my ($msg) = @_;
print STDERR $msg, "\n";
exit 1;
# This just makes me feel better.
$TRUE = (0 == 0);
$FALSE = (0 == 1);
# Since this script is called as a forced command, need to get the
# original scp command given by the client.
|| fail;
# Split the command string to make an argument list, and remove the first
# element (the command name; we'll supply our own);
@scp_argv = split /[ \t]+/, $command;
# Complain if the command is not "scp".
fail "account restricted: only scp is allowed"
unless $scp_argv[0] eq "scp";
# Wipe the environment as a security precaution. This might conceivably
# break something, but if it does you can filter the environment more
# selectively here.
%ENV = ();
# Ensure that either -t or -f is on the command line, to enforce running
# scp in server mode.
$ok = $FALSE;
foreach $arg (@scp_argv) {
if ($arg eq '-t' || $arg eq '-f') {
$ok = $TRUE;
fail "Restricted; only server mode allowed."
unless $ok;
# if we're OK, run our desired "scp" with arguments.
exec($scp_server, @scp_argv);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment