summaryrefslogtreecommitdiffstats
path: root/run.d
diff options
context:
space:
mode:
Diffstat (limited to 'run.d')
-rwxr-xr-xrun.d/10-print-message22
-rwxr-xr-xrun.d/30-query-hostname98
2 files changed, 120 insertions, 0 deletions
diff --git a/run.d/10-print-message b/run.d/10-print-message
new file mode 100755
index 0000000..0e19526
--- /dev/null
+++ b/run.d/10-print-message
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# 10-print-message - print a (command-specific or default) message
+#
+# Copyright © Andrew Ruthven <andrew@etc.gen.nz>
+# Copyright © martin f. krafft <madduck@madduck.net>
+# Released under the terms of the Artistic Licence 2.0
+#
+# Prints either /etc/molly-guard/messages.d/$MOLLYGUARD_CMD
+# or /etc/molly-guard/messages.d/default
+# depending on whether the first exists.
+#
+set -eu
+
+MESSAGESDIR=/etc/molly-guard/messages.d
+
+for i in $MOLLYGUARD_CMD default; do
+ if [ -f "$MESSAGESDIR/$i" ] && [ -r "$MESSAGESDIR/$i" ]; then
+ cat $MESSAGESDIR/$i
+ exit 0
+ fi
+done
diff --git a/run.d/30-query-hostname b/run.d/30-query-hostname
new file mode 100755
index 0000000..d34ce06
--- /dev/null
+++ b/run.d/30-query-hostname
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# 30-ask-hostname - request the user to type in the hostname of the local host
+#
+# Copyright © 2006-2009 martin f. krafft <madduck@madduck.net>
+# Copyright © 2012 Ludovico Gardenghi <lu@dovi.co>
+# Copyright © 2014 Josh Triplett <josh@joshtriplett.org>
+# Copyright © 2015 Francois Marier <francois@debian.org>
+# Copyright © 2017 Simó Albert i Beltran <sim6@probeta.net>
+# Released under the terms of the Artistic Licence 2.0
+#
+set -eu
+
+ME=molly-guard
+
+# Walk up the process tree until PID 1 is reached or a process with 'sshd' in
+# its /proc/<pid>/cmdline is met. Return success if such a process is found.
+is_child_of_sshd_or_mosh_server() {
+ pid=$$
+ ppid=$PPID
+ # Be a bit paranoid with the guard, should some horribly broken system
+ # provide a strange process hierarchy. '[ $pid -ne 1 ]' should be enough for
+ # sane systems.
+ [ -z "$pid" ] || [ -z "$ppid" ] && return 2
+ while [ $pid -gt 1 ] && [ $pid -ne $ppid ]; do
+ if egrep -q 'sshd|mosh-server' /proc/$ppid/cmdline; then
+ return 0
+ fi
+ pid=$ppid
+ ppid=$(grep ^PPid: /proc/$pid/status | tr -dc 0-9)
+ done
+ return 1
+}
+
+[ -f "$MOLLYGUARD_SETTINGS" ] && . "$MOLLYGUARD_SETTINGS"
+
+PRETEND_SSH=0
+for arg in "$@"; do
+ case "$arg" in
+ (*-pretend-ssh) PRETEND_SSH=1;;
+ esac
+done
+
+# require an interactive terminal connected to stdin
+test -t 0 || exit 0
+
+# we've been asked to always protect this host
+case "${ALWAYS_QUERY_HOSTNAME:-0}" in
+ 0|false|False|no|No|off|Off)
+ # only run if we are being called over SSH, that is if the current terminal
+ # was created by sshd.
+ command -v tty >/dev/null 2>&1 || exit 0
+ PTS=$(tty)
+ if ! pgrep -f "^sshd.+${PTS#/dev/}\>" >/dev/null \
+ && [ -z "${SSH_CONNECTION:-}" ] \
+ && ! is_child_of_sshd_or_mosh_server; then
+ if [ $PRETEND_SSH -eq 1 ]; then
+ echo "I: $ME: this is not an SSH session, but --pretend-ssh was given..." >&2
+ else
+ exit 0
+ fi
+ else
+ echo "W: $ME: SSH session detected!" >&2
+ fi
+ ;;
+ *)
+ echo "I: $ME: $MOLLYGUARD_CMD is always molly-guarded on this system." >&2
+ ;;
+esac
+
+case "${USE_FQDN:-0}" in
+ 0|false|False|no|No|off|Off)
+ HOSTNAME="$(hostname --short)"
+ ;;
+ *)
+ HOSTNAME="$(hostname --fqdn)"
+ ;;
+esac
+
+sigh()
+{
+ echo "Good thing I asked; I won't $MOLLYGUARD_CMD $HOSTNAME ..." >&2
+ exit 1
+}
+
+trap 'echo;sigh' 1 2 3 9 10 12 15
+
+echo -n "Please type in hostname of the machine to $MOLLYGUARD_CMD: "
+read HOSTNAME_USER || :
+
+HOSTNAME="$(echo "$HOSTNAME" | tr '[:upper:]' '[:lower:]')"
+HOSTNAME_USER="$(echo "$HOSTNAME_USER" | tr '[:upper:]' '[:lower:]')"
+
+[ "$HOSTNAME_USER" = "$HOSTNAME" ] || sigh
+
+trap - 1 2 3 9 10 12 15
+
+exit 0