docker-bastion/examples/docker-mailserver/allowed-commands.list

# ===========================================================================
# docker-mailserver broker allowlist
# ===========================================================================
# One extended-regex (ERE) rule per line. A client request is permitted only
# if it matches a rule WHOLE-LINE (anchored ^…$). Blank lines and lines
# starting with # are ignored. This file is re-read on every request, so
# edits take effect without restarting the bastion.
#
# COMMAND_PREFIX in the compose file prepends "docker exec -i mailserver
# setup", so the rules below describe only the `setup` sub-commands — clients
# send e.g.  email add jane@example.com <password>  and never see docker.
#
# Matched commands are word-split and run WITHOUT a shell, so ; | & $() are
# literal arguments, not operators. Values that must arrive intact cannot
# contain spaces — generate passwords from a space-free alphabet (hex /
# base64url) on the caller side.
#
# Argument classes use [^[:space:]] ("any non-space run") rather than .* so a
# rule can never match trailing junk. Tighten further to taste.
# ===========================================================================

# ---- email accounts -------------------------------------------------------
# add / update require an address and a password argument (no interactive
# prompt is possible over a non-TTY transport, so the password is mandatory).
email add [^[:space:]]+@[^[:space:]]+ [^[:space:]]+
email update [^[:space:]]+@[^[:space:]]+ [^[:space:]]+
email del [^[:space:]]+@[^[:space:]]+
email list
email restrict (add|del|list) (send|receive)( [^[:space:]]+@[^[:space:]]+)?

# ---- aliases --------------------------------------------------------------
alias add [^[:space:]]+@[^[:space:]]+ [^[:space:]]+
alias del [^[:space:]]+@[^[:space:]]+ [^[:space:]]+
alias list

# ---- quotas ---------------------------------------------------------------
# QUOTA is a size like 1G / 512M / 0 (0 = unlimited).
quota set [^[:space:]]+@[^[:space:]]+ [0-9]+[KMGT]?
quota del [^[:space:]]+@[^[:space:]]+
feat(broker): allowlist-gated command broker mode Add a second operating mode alongside FORCE_COMMAND: the client supplies the command and it runs only if it matches a regex allowlist (ALLOWED_COMMANDS / mounted allowed-commands.list), optionally behind a trusted COMMAND_PREFIX. Matching is whole-line anchored (grep -Eqx) and multi-line requests are rejected; execution is shell-free word-split, so ; \| & $() are literal args and a sloppy rule can't become injection. Works over SSH (SSH_ORIGINAL_COMMAND) and HTTP (X-Bastion-Command). FORCE_COMMAND mode is unchanged and remains the default when no allowlist is set; config is read from boot-written files since sshd does not pass the daemon env to a ForceCommand session. - scripts/bastion-broker: the allowlist gate + no-shell exec - scripts/start-container: mode detection, broker wrapper + CGI, banner - Dockerfile / config/sshd_config: wire in the broker, document env vars - examples/docker-mailserver: ready-to-run broker config + allowlist 2026-06-02 17:32:57 +00:00			`# ===========================================================================`
			`# docker-mailserver broker allowlist`
			`# ===========================================================================`
			`# One extended-regex (ERE) rule per line. A client request is permitted only`
			`# if it matches a rule WHOLE-LINE (anchored ^…$). Blank lines and lines`
			`# starting with # are ignored. This file is re-read on every request, so`
			`# edits take effect without restarting the bastion.`
			`#`
			`# COMMAND_PREFIX in the compose file prepends "docker exec -i mailserver`
			# setup", so the rules below describe only the `setup` sub-commands — clients
			`# send e.g. email add jane@example.com <password> and never see docker.`
			`#`
			`# Matched commands are word-split and run WITHOUT a shell, so ; \| & $() are`
			`# literal arguments, not operators. Values that must arrive intact cannot`
			`# contain spaces — generate passwords from a space-free alphabet (hex /`
			`# base64url) on the caller side.`
			`#`
			`# Argument classes use [^[:space:]] ("any non-space run") rather than .* so a`
			`# rule can never match trailing junk. Tighten further to taste.`
			`# ===========================================================================`

			`# ---- email accounts -------------------------------------------------------`
			`# add / update require an address and a password argument (no interactive`
			`# prompt is possible over a non-TTY transport, so the password is mandatory).`
			`email add [^[:space:]]+@[^[:space:]]+ [^[:space:]]+`
			`email update [^[:space:]]+@[^[:space:]]+ [^[:space:]]+`
			`email del [^[:space:]]+@[^[:space:]]+`
			`email list`
			`email restrict (add\|del\|list) (send\|receive)( [^[:space:]]+@[^[:space:]]+)?`

			`# ---- aliases --------------------------------------------------------------`
			`alias add [^[:space:]]+@[^[:space:]]+ [^[:space:]]+`
			`alias del [^[:space:]]+@[^[:space:]]+ [^[:space:]]+`
			`alias list`

			`# ---- quotas ---------------------------------------------------------------`
			`# QUOTA is a size like 1G / 512M / 0 (0 = unlimited).`
			`quota set [^[:space:]]+@[^[:space:]]+ [0-9]+[KMGT]?`
			`quota del [^[:space:]]+@[^[:space:]]+`