diff options
author | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2017-06-27 07:54:18 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2017-06-29 08:46:22 +0000 |
commit | 9b8f4ba8d31febfdfb9fcb75b15c2b6f4d575fde (patch) | |
tree | 42cf3028d4c6c42c859460384525102d006d1a4a | |
parent | Executing auto commands only when cnt.auto=true and cnt.container-server matc... (diff) | |
download | compute-tools-9b8f4ba8d31febfdfb9fcb75b15c2b6f4d575fde.tar.xz compute-tools-9b8f4ba8d31febfdfb9fcb75b15c2b6f4d575fde.zip |
Adding CONTAINER_COMMANDS_ENABLE variable for container-shell to add support for allowing certain container commands for a specific container-shell invocation only.
Use case: Allow some people (via their SSH key) to only execute some
but not all commands, e.g. container start and container-stop but
not container create and container remove.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
-rwxr-xr-x | bin/container-shell | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/bin/container-shell b/bin/container-shell index 17c0849..c27a0e3 100755 --- a/bin/container-shell +++ b/bin/container-shell @@ -85,10 +85,34 @@ Shell () then echo "'${COMMAND}': no such ${PROGRAM} command" >&2 return - else - echo - sudo ${PROGRAM} ${COMMAND} ${OPTIONS} || true fi + + if [ -n "${CONTAINER_COMMANDS_ENABLE}" ] + then + COMMAND_ALLOWED="" + + for CONTAINER_COMMAND in ${CONTAINER_COMMANDS_ENABLE} + do + case "${CONTAINER_COMMAND}" in + ${COMMAND}|all|about|logout|exit|help) + COMMAND_ALLOWED="true" + ;; + esac + done + + case "${COMMAND_ALLOWED}" in + true) + ;; + + *) + echo "'${COMMAND}': command not allowed for current user" >&2 + return + ;; + esac + fi + + echo + sudo ${PROGRAM} ${COMMAND} ${OPTIONS} || true } trap 'echo' EXIT HUP INT QUIT TERM |