authcmd/authcmd.yml at main · dranih/authcmd · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# Print 'denied', so a user can figure out the program was not run.
showTerseDenied: false

# Show which commands are allowed
showAllowed: false

# Feed back a denied command line to the invoking user
showDenied: false

# Should we expand the env vars ?
expandEnvVars: false

# Should we log ?
enableLogging: false

# Log file (default : ~/authcmd.log)
#logFile: /var/log/authcmd.log

# If useShell is set (to default or a specific shell), command is launch with $shell -c "command"
# If not, it uses the standard os/exec from Go
# Notes :
#   - if using a shell, env variables will be available to the command
#   - input command is not sanitized and is a security breach (ie: echo test;rm *)
#useShell: default

# Show a help text to the user.  The text is everything after the line
# with the helpText token to the end of the file.
helpText: "This is the help text shown, when you send a command line which is not accepted."

setEnvVars:
  MY_VAR: "Set for all cmds"

# Allowed cmd for all
allowedCmd:
  - command: id
  - command: /bin/echo
    replace: {"pizza$":"pasta"}
    setEnvVars:
      MY_VAR: "Set for echo"
    args: # Golang regex
      forbidden: [\$]
  - command: ls
    args:
      allowed: [-l]
  - command: cat
    mustMatch: ["~/.*authcmd/.*go"]

# Override config and allowed commands by a key tag provided as a arg to authcmd
keyTags:
  client1:
    helpText: "Help text for user1"
    showAllowed: true
    setEnvVars:
      MY_VAR: "Set for all cmds for client1"
    allowedCmd:
      - command: ls
        args:
          allowed: [-r,-t,-a]