Ce qui suit n'a jamais été aperçu en état de marche, il est donc déconseillé de l'appliquer sans autre forme de procès.
À placer dans /usr/local/bin/apt-dater-host-wrapper
#!/bin/sh set -e set -u # Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset # various other variables. For details, see: # https://wiki.ubuntu.com/SecurityTeam/AppArmorPolicyReview#Execute_rules export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin export ENV= export CDPATH= LOGGER="/usr/bin/logger" APT_DATER_HOST="$(which apt-dater-host)" KILL="/bin/kill" SLEEP="/bin/sleep" # Install command allowed? INSTALL_ALLOWED="false" if [ "$#" -eq 1 ]; then if [ "$1" = "--install-allowed" ]; then INSTALL_ALLOWED="true" fi fi illegal_command() { # Do not log SSH_ORIGINAL_COMMAND for security reasons $LOGGER "$(basename $0) illegal command denied" # Default deny $KILL -9 $PPID exit 0 } check_ssh_command() { if [ "$#" -lt 2 ]; then # not in the form of apt-dater-host upgrade illegal_command fi if [ "$1" != "apt-dater-host" ]; then # not invoking apt-dater-host illegal_command else # Remove the 1st arg with later replace it with the # fully qualified path to apt-dater-host shift fi COMMAND="$1" shift if [ "$COMMAND" = "refresh" -o "$COMMAND" = "kernel" ]; then $APT_DATER_HOST $COMMAND elif [ "$COMMAND" = "upgrade" ]; then # Don't kill the shell session right away when # upgrading/installing to please apt-dater $APT_DATER_HOST $COMMAND && $SLEEP 0.5 elif [ "$COMMAND" = "install" ]; then if [ "$INSTALL_ALLOWED" = "true" ]; then # Don't kill the shell session right away when # upgrading/installing to please apt-dater $APT_DATER_HOST $COMMAND $* && $SLEEP 0.5 else illegal_command fi fi } if [ -z "$SSH_ORIGINAL_COMMAND" ]; then illegal_command fi case "$SSH_ORIGINAL_COMMAND" in *\&*) illegal_command ;; *\(*) illegal_command ;; *\{*) illegal_command ;; *\;*) illegal_command ;; *\>*) illegal_command ;; *\`*) illegal_command ;; *\|*) illegal_command ;; apt-dater-host\ refresh) check_ssh_command $SSH_ORIGINAL_COMMAND ;; apt-dater-host\ upgrade) check_ssh_command $SSH_ORIGINAL_COMMAND ;; apt-dater-host\ install\ *) check_ssh_command $SSH_ORIGINAL_COMMAND ;; apt-dater-host\ kernel) check_ssh_command $SSH_ORIGINAL_COMMAND ;; *) illegal_command ;; esac
En oubliant pas de le rendre exécutable:
chmod 0755 /usr/local/bin/apt-dater-host-wrapper