summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2019-08-02 07:16:08 +0200
committerJan Dittberner <jandd@cacert.org>2019-08-02 07:16:08 +0200
commit6d6b694ff4a5f88b71ba8bd190a73e70e3c05307 (patch)
tree0bf0d23a7c2d2cd0d0cb465117c6c7e4fad3deaa
parentc0067da16c29e314cb7088325c07c6a4965642d7 (diff)
downloadcacert-puppet-6d6b694ff4a5f88b71ba8bd190a73e70e3c05307.tar.gz
cacert-puppet-6d6b694ff4a5f88b71ba8bd190a73e70e3c05307.tar.xz
cacert-puppet-6d6b694ff4a5f88b71ba8bd190a73e70e3c05307.zip
Setup rssh to restrict uploads to sftp and scp
-rw-r--r--sitemodules/profiles/files/debarchive/rssh.global.conf54
-rw-r--r--sitemodules/profiles/manifests/debarchive.pp45
2 files changed, 79 insertions, 20 deletions
diff --git a/sitemodules/profiles/files/debarchive/rssh.global.conf b/sitemodules/profiles/files/debarchive/rssh.global.conf
new file mode 100644
index 0000000..9cf41e5
--- /dev/null
+++ b/sitemodules/profiles/files/debarchive/rssh.global.conf
@@ -0,0 +1,54 @@
+# THIS FILE IS MANAGED BY PUPPET. MANUAL CHANGES WILL BE OVERWRITTEN BY THE
+# NEXT PUPPET RUN!
+
+# set the log facility. "LOG_USER" and "user" are equivalent.
+logfacility = LOG_USER
+
+# Leave these all commented out to make the default action for rssh to lock
+# users out completely...
+
+#allowscp
+#allowsftp
+#allowcvs
+#allowrdist
+#allowrsync
+#allowsvnserve
+
+# set the default umask
+umask = 022
+
+# If you want to chroot users, use this to set the directory where the root of
+# the chroot jail will be located.
+#
+# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
+# chrootpath = /usr/local/chroot
+
+# You can quote anywhere, but quotes not required unless the path contains a
+# space... as in this example.
+#chrootpath = "/usr/local/my chroot"
+
+##########################################
+# EXAMPLES of configuring per-user options
+
+#user=rudy:077:000100: # the path can simply be left out to not chroot
+#user=rudy:077:000100 # the ending colon is optional
+
+#user=rudy:011:001000: # cvs, with no chroot
+#user=rudy:011:010000: # rdist, with no chroot
+#user=rudy:011:100000: # rsync, with no chroot
+#user=rudy:011:000001: # svnserve, with no chroot
+#user="rudy:011:000010:/usr/local/chroot" # whole user string can be quoted
+#user=rudy:01"1:000010:/usr/local/chroot" # or somewhere in the middle, freak!
+#user=rudy:'011:000010:/usr/local/chroot' # single quotes too
+
+# if your chroot_path contains spaces, it must be quoted...
+# In the following examples, the chroot_path is "/usr/local/my chroot"
+#user=rudy:011:000010:"/usr/local/my chroot" # scp with chroot
+#user=rudy:011:000100:"/usr/local/my chroot" # sftp with chroot
+#user=rudy:011:000110:"/usr/local/my chroot" # both with chroot
+
+# Spaces before or after the '=' are fine, but spaces in chrootpath need
+# quotes.
+#user = "rudy:011:000010:/usr/local/my chroot"
+#user = "rudy:011:000010:/usr/local/my chroot" # neither do comments at line end
+
diff --git a/sitemodules/profiles/manifests/debarchive.pp b/sitemodules/profiles/manifests/debarchive.pp
index 70735d9..af02d1c 100644
--- a/sitemodules/profiles/manifests/debarchive.pp
+++ b/sitemodules/profiles/manifests/debarchive.pp
@@ -49,25 +49,8 @@ class profiles::debarchive (
) {
include profiles::base
- # remove first try with mini-dinstall
- package { 'mini-dinstall':
- ensure => purged,
- }
- service { 'debarchive':
- ensure => stopped,
- enable => false,
- }
- file { '/etc/systemd/system/debarchive.service':
- ensure => absent,
- }
- exec { 'reload systemd when debarchive.service unit changes':
- command => '/bin/systemctl daemon-reload',
- refreshonly => true,
- subscribe => File['/etc/systemd/system/debarchive.service'],
- notify => Service['debarchive'],
- }
- file { '/srv/debarchive/.mini-dinstall.conf':
- ensure => absent,
+ package{ ['rssh', 'reprepro']:
+ ensure => latest,
}
# setup user, groups and directories
@@ -80,8 +63,9 @@ class profiles::debarchive (
system => true,
gid => 'nogroup',
home => '/srv/debarchive',
- shell => '/bin/false',
+ shell => '/usr/bin/rssh',
purge_ssh_keys => true,
+ require => Package['rssh'],
}
file { '/srv/debarchive':
ensure => directory,
@@ -102,6 +86,27 @@ class profiles::debarchive (
mode => '0700',
}
+ $rssh_conf = '/etc/rssh.conf'
+
+ concat { $rssh_conf:
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+
+ concat::fragment { 'rssh-global':
+ target => $rssh_conf,
+ order => '01',
+ source => 'puppet:///profiles/debarchive/rssh.global.conf',
+ }
+
+ concat::fragment { 'rssh-debarchive':
+ target => $rssh_conf,
+ order => '10',
+ content => 'user=debarchive:022:0001100:/srv/upload',
+ }
+
# setup ssh keys
$uploaders.each |String $username| {
$ssh_keys = $::profiles::base::users[$username]['ssh_keys']