Simple Python scp wrapper

Inspired by the following article I decided to write a simply python scp wrapper which is based on the ideas taken from the perl script also mentioned on the same page.

The whole point of this wrapper is dead simple: to allow certain users scp into their specific directories with out granting full ssh access.

The configuration file is straightforward:
/opt/etc/scponly.conf

scponly=/tmp:/home/scptest

Below is the wrapper in all its amature (must admit I’m not a developer at all) glory ;-)

/opt/bin/scp-wrapper.py:

#!/usr/bin/python
 
import sys
import os
import pwd
from subprocess import call, Popen, PIPE
import re
 
def fail(msg):
    """(str) -> str Prints error message to STDOUT
    >>> fail('Error')
    Error
    >>> fail('Wrong argument')
    Wrong argument
    """
    
    print msg
    sys.exit(1)
 
def access_verify(user, dirto):
    """(str) -> Boolean Returns TRUE iff user is allowed to scp
    """
  
    if user in users:
        for d in users[user]:
            print user, dirto[-1:],  d.rstrip()[-1:], dirto[:-1] == d.rstrip(), dirto == d[:-1].rstrip()
            if dirto == d.rstrip():
                return True
            elif (dirto[-1:] == "/" or d.rstrip()[-1:] == "/") and (dirto[:-1] == d.rstrip() or dirto == d.rstrip()[:-1]):
                return True
            else:
                return False
    return False
 
if __name__ == '__main__':
 
    users = {}
    conf = "/usr/local/etc/scponly.conf"
 
    # Reading configuration file
 
    fp = open(conf, "r")
    for line in fp.readlines():
        record = line.split("=")
        users[record[0]] = record[1].split(":")
    fp.close()
  
    command = sys.argv[2]
    scp_args = command.split()
 
    if scp_args[0] != "scp":
        msg = "Only scp is allowed"
        fail(msg)
 
    if scp_args[1] != "-t" and not "-f" and not "-v":
        msg = "Restricted; only server mode is allowed"
        fail(msg)
 
    destdir = scp_args[-1]
   if not os.path.isfile(destdir) or os.path.isfile(destdir):
        destdirv = os.path.dirname(destdir)
    else:
        destdirv = destdir
    uname = pwd.getpwuid(os.getuid())[0]
    if not access_verify(uname, destdirv):
        msg = "User " + uname + " is not authorized to scp to this host."
        fail(msg)
    else:
        scp_args.pop(0)
        if len(scp_args) == 2:
            call(["/usr/bin/scp", scp_args[0], destdir])
        elif len(scp_args) == 3:
            call(["/usr/bin/scp", scp_args[0], scp_args[1], destdir])

Just create a new user and set its shell (-s option in useradd) to /opt/bin/scp-wrapper.py. Hope it helps.
Enjoy and have fun!

• Recent Posts

  • LISA 2021 Conference
  • Upgraded to FreeBSD 13.0-RELEASE
  • Canceled my booking
  • Advent of Code 2020 experience
  • my experience with kernel lockdown and eBFP
  • Christmas gifts 2020 already in house
  • My trivial Linux kernel module in Rust
  • Time to learn something OSX new
  • Finished “Permanent Record”
  • python-bpfcc on Ubuntu 19.10 misses PerfEventArray due to an outdated bpfcc-tools

• Recent Comments

  • Anonymous on Canceled my booking
  • sergeyt on jbd2 is munching your disks? Use ftrace to find why.
  • William Deans on jbd2 is munching your disks? Use ftrace to find why.
  • sergeyt on How to setup Solaris 10 ldap client and glue it with ssh
  • Tracy on How to setup Solaris 10 ldap client and glue it with ssh

• Categories

  • Apple (14)
  • BPF (2)
  • Conferences (1)
  • EMC (2)
  • ESXi (1)
  • FreeBSD (21)
  • Git (1)
  • HDS (6)
  • HP-UX (10)
  • Life (96)
  • Linux (54)
  • MongoDB (8)
  • MySQL (4)
  • Oracle (21)
  • OSX (1)
  • Programming (1)
  • SAN (6)
  • Scripting (4)
  • Security (2)
  • Solaris (60)
  • Sun (34)
  • TIL (5)
  • Uncategorized (4)
  • Veritas (10)
  • ZFS (3)

• Archives

  • April 2021 (2)
  • January 2021 (1)
  • December 2020 (1)
  • March 2020 (2)
  • February 2020 (3)
  • January 2020 (2)
  • September 2019 (1)
  • December 2018 (2)
  • July 2018 (1)
  • June 2018 (1)
  • May 2018 (1)
  • February 2018 (2)
  • December 2017 (1)
  • November 2017 (1)
  • September 2017 (2)
  • August 2017 (1)
  • July 2017 (2)
  • May 2017 (2)
  • February 2017 (2)
  • January 2017 (3)
  • November 2016 (1)
  • August 2016 (1)
  • July 2016 (1)
  • June 2016 (2)
  • May 2016 (3)
  • April 2016 (1)
  • February 2016 (1)
  • January 2016 (1)
  • December 2015 (2)
  • November 2015 (3)
  • October 2015 (1)
  • August 2015 (1)
  • June 2015 (2)
  • April 2015 (1)
  • February 2015 (4)
  • January 2015 (3)
  • December 2014 (1)
  • November 2014 (4)
  • August 2014 (1)
  • June 2014 (1)
  • April 2014 (1)
  • March 2014 (1)
  • January 2014 (5)
  • December 2013 (1)
  • November 2013 (2)
  • October 2013 (2)
  • August 2013 (2)
  • July 2013 (1)
  • June 2013 (3)
  • May 2013 (4)
  • March 2013 (2)
  • February 2013 (2)
  • January 2013 (1)
  • December 2012 (5)
  • November 2012 (1)
  • October 2012 (3)
  • August 2012 (2)
  • June 2012 (2)
  • May 2012 (1)
  • April 2012 (2)
  • February 2012 (3)
  • January 2012 (1)
  • December 2011 (2)
  • November 2011 (1)
  • October 2011 (3)
  • August 2011 (1)
  • July 2011 (1)
  • June 2011 (1)
  • May 2011 (2)
  • April 2011 (3)
  • March 2011 (3)
  • February 2011 (4)
  • January 2011 (7)
  • December 2010 (6)
  • November 2010 (7)
  • October 2010 (6)
  • September 2010 (6)
  • August 2010 (1)
  • July 2010 (1)
  • June 2010 (5)
  • May 2010 (8)
  • April 2010 (9)
  • March 2010 (11)
  • February 2010 (6)
  • January 2010 (12)
  • December 2009 (8)
  • November 2009 (7)
  • October 2009 (9)
  • September 2009 (12)
  • August 2009 (11)
  • July 2009 (14)
  • June 2009 (15)
  • May 2009 (8)

• Blogroll

  • Blog O'Matty
  • c0t0d0s0
  • Infinite Loop
  • LWN
  • Mastodon
  • Slashdot
  • The Blog of Ben Rockwood