Stefan Völkel wrote:
> martin f krafft wrote:
>> also sprach b...@bc-bd.org <b...@bc-bd.org> [2009.10.25.1506 +0100]:
>
>>> We could check for $STY to test if inside screen or not, but no
>>> idea how to proceed from there.
>> Neither do I. If you have ideas, or maybe a new test scriptlet, I'd
>> love to hear them.
>
> attached.
well, one debug statement made it through, corrected patch attached.
diff --git a/30-query-hostname b/30-query-hostname
index d040603..04645d7 100755
--- a/30-query-hostname
+++ b/30-query-hostname
@@ -3,6 +3,7 @@
# 30-ask-hostname - request the user to type in the hostname of the local host
#
# Copyright © martin f. krafft <madd...@madduck.net>
+# Copyright © 2009 Stefan Völkel <b...@bc-bd.org>
# Released under the terms of the Artistic Licence 2.0
#
set -eu
@@ -21,28 +22,68 @@ done
# require an interactive terminal connected to stdin
test -t 0 || exit 0
-# we've been asked to always protect this host
+# whether we should check for an ssh session or not
+CHECK=1
+
+# should we bypass ssh session checking and handle as if we found one?
+if [ $PRETEND_SSH -eq 1 ]; then
+ CHECK=0
+ echo "I: $ME: --pretend-ssh was given, handling as ssh session" >&2
+fi
+
+# should this hostname always be guarded?
case "${ALWAYS_QUERY_HOSTNAME:-0}" in
0|false|False|no|No|off|Off)
- # only run if we are being called over SSH, that is if the current terminal
- # was created by sshd.
- PTS=$(readlink /proc/$$/fd/0)
- if ! pgrep -f "^sshd.+${PTS#/dev/}\>" >/dev/null \
- && [ -z "${SSH_CONNECTION:-}" ]; then
- if [ $PRETEND_SSH -eq 1 ]; then
- echo "I: $ME: this is not an SSH session, but --pretend-ssh was
given..." >&2
- else
- exit 0
- fi
- else
- echo "W: $ME: SSH session detected!" >&2
- fi
- ;;
+ ;;
*)
+ CHECK=0
echo "I: $ME: $MOLLYGUARD_CMD is always molly-guarded on this system." >&2
;;
esac
+# make sure that sshd.pid exists and is a regular file
+if [ ! -f /var/run/sshd.pid ]; then
+ echo "W: $ME: /var/run/sshd.pid is not a regular file" >&2
+ echo "W: $ME: can not determine wether this is an ssh session or not" >&2
+ echo "W: $ME: pretending as if it was" >&2
+ CHECK=0
+else
+ SSHD=$(cat /var/run/sshd.pid)
+fi
+
+# make sure the binary behind ssh.pid is sshd
+BIN=$(basename $(readlink -f /proc/$SSHD/exe))
+if [ $BIN != "sshd" ]; then
+ echo "W: $ME: the pid referenced by /var/run/sshd.pid is not sshd" >&2
+ echo "W: $ME: can not determine wether this is an ssh session or not" >&2
+ echo "W: $ME: pretending as if it was" >&2
+ CHECK=0
+fi
+
+# bypass ssh check?
+if [ $CHECK -ne 0 ]; then
+ # no, set sshd pid and parent pid
+ PARENT=$$
+
+ # keep looking at parent pid until ...
+ while true; do
+ # ... no more parents
+ # => molly-guard was NOT started as child of sshd
+ # => this is NOT an ssh session
+ # => reboot/halt/... as requested
+ [ $PARENT -eq 0 ] && exit 0
+
+ # parent is sshd
+ # => guard this machine
+ [ $PARENT -eq $SSHD ] && break
+
+ # get parent pid of process with pid $PARENT
+ PARENT=$(ps -o "ppid=" $PARENT)
+ done
+
+ echo "I: $ME: ssh session found:" >&2
+fi
+
HOSTNAME="$(hostname --short)"
sigh()
