blob: d64bf4941a01fff659f04eec943d2d9dcb4542e7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#!/bin/sh
### Add a Git user to the system
### Copyright (C) 2015, 2022 Rafael Laboissière
###
### This program is free software; you can redistribute it and/or modify it under
### the terms of the GNU General Public License as published by the Free Software
### Foundation; either version 3 of the License, or (at your option) any later
### version.
###
### This program is distributed in the hope that it will be useful, but WITHOUT
### ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
### FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
### details.
###
### You should have received a copy of the GNU General Public License along with
### this program; if not, see <http://www.gnu.org/licenses/>.
### Get the program name
prog=${0##*/}
### Ensure that at least one argument is given
if [ $# != 1 ] ; then
echo "Usage: $prog name" 1>&2
exit 1
fi
### Get the specified user name
user=$1
### Generate a temporary file with configuration for adduser
tmp=$(mktemp)
### Cleanup function
cleanup(){
rm -f $tmp
}
trap "cleanup" 1 2 3 13 15
### Create the temporary configuration file
home=/var/git
cat > $tmp <<EOF
DHOME=$home
DSHELL=/usr/bin/git-shell
FIRST_UID=2000
FIRST_GID=2000
SKEL=
EOF
### Add the new user to the system
adduser --conf $tmp --disabled-password --disabled-login --gecos "" $user
### Create the no-interactive-login script
homedir=$home/$user
gitshdir=$homedir/git-shell-commands
mkdir -p $gitshdir
nolog=$gitshdir/no-interactive-login
cat > $nolog <<EOF
#!/bin/sh
printf '\\n%s\\n' "Hi \$USER! You've successfully authenticated, but I do not"
printf '%s\\n\\n' "provide interactive shell access."
exit 128
EOF
chmod +x $nolog
### Create the read-only script
readonly=$gitshdir/read-only
cat > $readonly <<EOF
#!/bin/bash
read -a tokens <<< "\$SSH_ORIGINAL_COMMAND"
if [ "\${tokens[0]}" != git-receive-pack ] ; then
exec git-shell -c "\$SSH_ORIGINAL_COMMAND"
else
exit 128
fi
EOF
chmod +x $readonly
### Adjust owner of git-shell-commands directory
chown -R $user:$user $gitshdir
### Initialize the SSH directory
sshdir=$homedir/.ssh
mkdir --mode=700 $sshdir
touch $sshdir/authorized_keys
chown -R $user:$user $sshdir
### Exit gracefully
cleanup
|
