diff options
author | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2017-06-29 05:35:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@open-infrastructure.net> | 2017-06-29 08:46:22 +0000 |
commit | 8ae7e6a4292723d1996656c51b23236161f7bf01 (patch) | |
tree | 9cf44c4a580f8a70e262b384a27f0110380e1292 /bin/container-shell | |
parent | Adding CONTAINER_COMMANDS_ENABLE variable for container-shell to add support ... (diff) | |
download | compute-tools-8ae7e6a4292723d1996656c51b23236161f7bf01.tar.xz compute-tools-8ae7e6a4292723d1996656c51b23236161f7bf01.zip |
Adding CONTAINER_COMMANDS_DISABLE variable for container-shell to add support for disallowing certain container commands for a specific container-shell invocation only.
Use case: Disallow some people (via their SSH key) some specific
container commands, e.g. container remove.
Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>
Diffstat (limited to '')
-rwxr-xr-x | bin/container-shell | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/bin/container-shell b/bin/container-shell index c27a0e3..38a9ab9 100755 --- a/bin/container-shell +++ b/bin/container-shell @@ -111,6 +111,27 @@ Shell () esac fi + if [ -n "${CONTAINER_COMMANDS_DISABLE}" ] + then + COMMAND_DISALLOWED="" + + for CONTAINER_COMMAND in ${CONTAINER_COMMANDS_DISABLE} + do + case "${CONTAINER_COMMAND}" in + ${COMMAND}|all|about|logout|exit|help) + COMMAND_DISALLOWED="true" + ;; + esac + done + + case "${COMMAND_DISALLOWED}" in + true) + echo "'${COMMAND}': command not allowed for current user" >&2 + return + ;; + esac + fi + echo sudo ${PROGRAM} ${COMMAND} ${OPTIONS} || true } |