summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-06-27 07:54:18 +0000
committerDaniel Baumann <daniel.baumann@open-infrastructure.net>2017-06-29 08:46:22 +0000
commit9b8f4ba8d31febfdfb9fcb75b15c2b6f4d575fde (patch)
tree42cf3028d4c6c42c859460384525102d006d1a4a
parentExecuting auto commands only when cnt.auto=true and cnt.container-server matc... (diff)
downloadcompute-tools-9b8f4ba8d31febfdfb9fcb75b15c2b6f4d575fde.tar.xz
compute-tools-9b8f4ba8d31febfdfb9fcb75b15c2b6f4d575fde.zip
Adding CONTAINER_COMMANDS_ENABLE variable for container-shell to add support for allowing certain container commands for a specific container-shell invocation only.
Use case: Allow some people (via their SSH key) to only execute some but not all commands, e.g. container start and container-stop but not container create and container remove. Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
-rwxr-xr-xbin/container-shell30
1 files changed, 27 insertions, 3 deletions
diff --git a/bin/container-shell b/bin/container-shell
index 17c0849..c27a0e3 100755
--- a/bin/container-shell
+++ b/bin/container-shell
@@ -85,10 +85,34 @@ Shell ()
then
echo "'${COMMAND}': no such ${PROGRAM} command" >&2
return
- else
- echo
- sudo ${PROGRAM} ${COMMAND} ${OPTIONS} || true
fi
+
+ if [ -n "${CONTAINER_COMMANDS_ENABLE}" ]
+ then
+ COMMAND_ALLOWED=""
+
+ for CONTAINER_COMMAND in ${CONTAINER_COMMANDS_ENABLE}
+ do
+ case "${CONTAINER_COMMAND}" in
+ ${COMMAND}|all|about|logout|exit|help)
+ COMMAND_ALLOWED="true"
+ ;;
+ esac
+ done
+
+ case "${COMMAND_ALLOWED}" in
+ true)
+ ;;
+
+ *)
+ echo "'${COMMAND}': command not allowed for current user" >&2
+ return
+ ;;
+ esac
+ fi
+
+ echo
+ sudo ${PROGRAM} ${COMMAND} ${OPTIONS} || true
}
trap 'echo' EXIT HUP INT QUIT TERM