summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-06-29 05:35:49 +0000
committerDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-06-29 08:46:22 +0000
commit8ae7e6a4292723d1996656c51b23236161f7bf01 (patch)
tree9cf44c4a580f8a70e262b384a27f0110380e1292
parentAdding CONTAINER_COMMANDS_ENABLE variable for container-shell to add support ... (diff)
downloadcompute-tools-8ae7e6a4292723d1996656c51b23236161f7bf01.tar.xz
compute-tools-8ae7e6a4292723d1996656c51b23236161f7bf01.zip
Adding CONTAINER_COMMANDS_DISABLE variable for container-shell to add support for disallowing certain container commands for a specific container-shell invocation only.
Use case: Disallow some people (via their SSH key) some specific container commands, e.g. container remove. Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to '')
-rwxr-xr-xbin/container-shell21
1 files changed, 21 insertions, 0 deletions
diff --git a/bin/container-shell b/bin/container-shell
index c27a0e3..38a9ab9 100755
--- a/bin/container-shell
+++ b/bin/container-shell
@@ -111,6 +111,27 @@ Shell ()
esac
fi
+ if [ -n "${CONTAINER_COMMANDS_DISABLE}" ]
+ then
+ COMMAND_DISALLOWED=""
+
+ for CONTAINER_COMMAND in ${CONTAINER_COMMANDS_DISABLE}
+ do
+ case "${CONTAINER_COMMAND}" in
+ ${COMMAND}|all|about|logout|exit|help)
+ COMMAND_DISALLOWED="true"
+ ;;
+ esac
+ done
+
+ case "${COMMAND_DISALLOWED}" in
+ true)
+ echo "'${COMMAND}': command not allowed for current user" >&2
+ return
+ ;;
+ esac
+ fi
+
echo
sudo ${PROGRAM} ${COMMAND} ${OPTIONS} || true
}