martin f krafft wrote: > also sprach b...@bc-bd.org <b...@bc-bd.org> [2009.10.25.1506 +0100]:
>> We could check for $STY to test if inside screen or not, but no >> idea how to proceed from there. > > Neither do I. If you have ideas, or maybe a new test scriptlet, I'd > love to hear them. attached. >> OTOH I don't understand the need for the pgrep-voodoo anyway, why not simply >> check for ! -z $SSH_CONNECTION? > > Because sudo resets the environment. doh.
diff --git a/30-query-hostname b/30-query-hostname index d040603..cace22d 100755 --- a/30-query-hostname +++ b/30-query-hostname @@ -3,6 +3,7 @@ # 30-ask-hostname - request the user to type in the hostname of the local host # # Copyright © martin f. krafft <madd...@madduck.net> +# Copyright © 2009 Stefan Völkel <b...@bc-bd.org> # Released under the terms of the Artistic Licence 2.0 # set -eu @@ -21,28 +22,68 @@ done # require an interactive terminal connected to stdin test -t 0 || exit 0 -# we've been asked to always protect this host +# whether we should check for an ssh session or not +CHECK=1 + +# should we bypass ssh session checking and handle as if we found one? +if [ $PRETEND_SSH -eq 1 ]; then + CHECK=0 + echo "I: $ME: --pretend-ssh was given, handling as ssh session" >&2 +fi + +# should this hostname always be guarded? case "${ALWAYS_QUERY_HOSTNAME:-0}" in 0|false|False|no|No|off|Off) - # only run if we are being called over SSH, that is if the current terminal - # was created by sshd. - PTS=$(readlink /proc/$$/fd/0) - if ! pgrep -f "^sshd.+${PTS#/dev/}\>" >/dev/null \ - && [ -z "${SSH_CONNECTION:-}" ]; then - if [ $PRETEND_SSH -eq 1 ]; then - echo "I: $ME: this is not an SSH session, but --pretend-ssh was given..." >&2 - else - exit 0 - fi - else - echo "W: $ME: SSH session detected!" >&2 - fi - ;; + ;; *) + CHECK=0 echo "I: $ME: $MOLLYGUARD_CMD is always molly-guarded on this system." >&2 ;; esac +# make sure that sshd.pid exists and is a regular file +if [ ! -f /var/run/sshd.pid ]; then + echo "W: $ME: /var/run/sshd.pid is not a regular file" >&2 + echo "W: $ME: can not determine wether this is an ssh session or not" >&2 + echo "W: $ME: pretending as if it was" >&2 + CHECK=0 +else + SSHD=$(cat /var/run/sshd.pid) +fi + +# make sure the binary behind ssh.pid is sshd +BIN=$(basename $(readlink -f /proc/$SSHD/exe)) +if [ $BIN != "sshd2" ]; then + echo "W: $ME: the pid referenced by /var/run/sshd.pid is not sshd" >&2 + echo "W: $ME: can not determine wether this is an ssh session or not" >&2 + echo "W: $ME: pretending as if it was" >&2 + CHECK=0 +fi + +# bypass ssh check? +if [ $CHECK -ne 0 ]; then + # no, set sshd pid and parent pid + PARENT=$$ + + # keep looking at parent pid until ... + while true; do + # ... no more parents + # => molly-guard was NOT started as child of sshd + # => this is NOT an ssh session + # => reboot/halt/... as requested + [ $PARENT -eq 0 ] && exit 0 + + # parent is sshd + # => guard this machine + [ $PARENT -eq $SSHD ] && break + + # get parent pid of process with pid $PARENT + PARENT=$(ps -o "ppid=" $PARENT) + done + + echo "I: $ME: ssh session found:" >&2 +fi + HOSTNAME="$(hostname --short)" sigh()