mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-08 00:12:10 +08:00
79 lines
2.4 KiB
Perl
Executable file
79 lines
2.4 KiB
Perl
Executable file
#! /usr/bin/env perl
|
|
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
|
|
use common::sense;
|
|
|
|
use File::Basename;
|
|
use lib dirname(__FILE__) . '/../../../lib/perl';
|
|
use OVH::Result;
|
|
use OVH::Bastion;
|
|
use OVH::Bastion::Plugin qw( :DEFAULT help );
|
|
|
|
my $remainingOptions = OVH::Bastion::Plugin::begin(
|
|
argv => \@ARGV,
|
|
header => "launching a bastion command or connection, impersonating another user",
|
|
options => {
|
|
"sudo-as=s" => \my $sudoAs,
|
|
"sudo-cmd=s" => \my $sudoCmd,
|
|
},
|
|
helptext => <<'EOF',
|
|
Impersonate another user
|
|
|
|
Usage: --osh SCRIPT_NAME -- --sudo-as ACCOUNT <--sudo-cmd PLUGIN -- [PLUGIN specific options...]>
|
|
|
|
--sudo-as ACCOUNT Specify which bastion account we want to impersonate
|
|
--sudo-cmd PLUGIN --osh command we want to launch as the user (see --osh help)
|
|
|
|
Example::
|
|
|
|
--osh SCRIPT_NAME -- --sudo-as user12 --sudo-cmd info -- --name somebodyelse
|
|
|
|
Don't forget the double-double-dash as seen in the example above: one after the plugin name,
|
|
and another one to separate SCRIPT_NAME options from the options of the plugin to be called.
|
|
EOF
|
|
);
|
|
|
|
my $fnret;
|
|
|
|
if (not $sudoAs or not $sudoCmd) {
|
|
help();
|
|
osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'sudo-as' or 'sudo-cmd'";
|
|
}
|
|
|
|
$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $sudoAs);
|
|
$fnret or osh_exit($fnret);
|
|
|
|
$fnret = OVH::Bastion::can_account_execute_plugin(account => $sudoAs, plugin => $sudoCmd);
|
|
$fnret or osh_exit($fnret);
|
|
|
|
my @cmd = qw( sudo -n -u );
|
|
push @cmd, $sudoAs;
|
|
push @cmd, qw( -- /usr/bin/env perl );
|
|
push @cmd, $OVH::Bastion::BASEPATH . '/bin/shell/osh.pl';
|
|
push @cmd, '-c';
|
|
|
|
my $stringified;
|
|
$stringified = " --osh $sudoCmd" if $sudoCmd;
|
|
$stringified .= " --host $host" if $host;
|
|
$stringified .= " --port $port" if $port;
|
|
$stringified .= " --user $user" if $user;
|
|
$stringified .= " " . join(" ", @$remainingOptions) if ($remainingOptions and @$remainingOptions);
|
|
|
|
push @cmd, $stringified;
|
|
|
|
OVH::Bastion::syslogFormatted(
|
|
criticity => 'info',
|
|
type => 'security',
|
|
fields => [
|
|
['type', 'admin-sudo'],
|
|
['account', $self],
|
|
['sudo-as', $sudoAs],
|
|
['plugin', ($sudoCmd ? $sudoCmd : 'ssh')],
|
|
['params', $stringified]
|
|
]
|
|
);
|
|
|
|
osh_warn("ADMIN SUDO: $self, you'll now impersonate $sudoAs, this has been logged.");
|
|
|
|
$fnret = OVH::Bastion::execute(cmd => \@cmd, noisy_stdout => 1, noisy_stderr => 1, expects_stdin => 1);
|
|
|
|
osh_exit $fnret;
|