Files
claudetools/.claude/skills/synology/scripts/syno-ssh.sh
Howard Enos 5b3dd84fb9 synology: fix SSH backend syno* CLI resolution (full pre-test verification)
Found during a full command-surface recheck: every privileged SSH recipe
(shares/users/groups/acl) was broken — sudo secure_path drops /usr/syno/{bin,sbin}
so synoshare/synouser/synogroup/synoacltool were "command not found" (non-sudo
plain recipes worked because the admin login PATH has them).

- Inject SYNO_PATH into priv()/plain(); run priv via `sh -c` so operators work.
- synouser/synogroup use `--enum local` (not the invalid `--list`).
- acl quotes the share path (handles spaces, e.g. "Sandra Fish").
- services repointed to Web API (no synoservice on DSM 7.2; synosystemctl has no list-all).

Verified live: all Web API reads, all SSH reads (acl returns real Windows ACEs),
write path (share create/delete), and every destructive command correctly gated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-25 13:28:38 -07:00

87 lines
5.3 KiB
Bash

#!/usr/bin/env bash
# syno-ssh.sh — SSH backend for a Synology NAS: the `syno*` CLI surface the DSM Web
# API does NOT expose (filesystem ACLs, low-level share/user/group internals, package
# CLI). Pairs with scripts/syno_client.py (the Web API surface). Read recipes run
# freely; arbitrary `run "<cmd>"` is gated behind --confirm.
#
# REQUIRES: SSH enabled on the NAS (DSM > Terminal & SNMP) + L3 reach. Cascades NAS is
# 192.168.0.120 — bring up the site VPN first. Privileged recipes use `sudo -S` with the
# vaulted admin password.
# AUTH (password): sshpass if installed, else OpenSSH SSH_ASKPASS fallback. On Windows the
# askpass fallback needs MSYS/Git-bash ssh on PATH (system OpenSSH can't exec a shell askpass).
#
# Recipes (read): info | shares | users | groups | acl <share> | df | packages | services
# reboot | shutdown [--confirm] power via synoshutdown -r|-s (Web-API 103 fallback)
# run "<cmd>" [--confirm] arbitrary command (gated; privileged -> prepend `sudo -S`)
#
# Usage: bash .claude/skills/synology/scripts/syno-ssh.sh <recipe> [args] [--confirm]
# [--vault clients/<x>/synology-...sops.yaml]
set -uo pipefail
REPO="$(git rev-parse --show-toplevel 2>/dev/null || echo .)"
VAULT="$REPO/.claude/scripts/vault.sh"
logerr(){ bash "$REPO/.claude/scripts/log-skill-error.sh" "synology/ssh" "$1" --context "${2:-}" >/dev/null 2>&1 || true; }
VP="clients/cascades-tucson/synology-cascadesds.sops.yaml"; CONFIRM=0; POS=()
while [ $# -gt 0 ]; do
case "$1" in
--vault) VP="${2:?--vault needs a path}"; shift 2;;
--confirm) CONFIRM=1; shift;;
*) POS+=("$1"); shift;;
esac
done
RECIPE="${POS[0]:-}"; [ -n "$RECIPE" ] || { echo "usage: syno-ssh.sh <info|shares|users|groups|acl <share>|df|packages|services|reboot|shutdown|run \"<cmd>\"> [--confirm]"; exit 2; }
H="$(bash "$VAULT" get-field "$VP" host 2>/dev/null)"
U="$(bash "$VAULT" get-field "$VP" credentials.username 2>/dev/null)"
P="$(bash "$VAULT" get-field "$VP" credentials.password 2>/dev/null)"
[ -n "$H" ] && [ -n "$U" ] && [ -n "$P" ] || { echo "[BLOCKED] no Synology cred at vault:$VP (need host/credentials.username/credentials.password)"; exit 2; }
SSH_OPTS=(-o ConnectTimeout=8 -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=/dev/null \
-o PreferredAuthentications=password -o PubkeyAuthentication=no -o NumberOfPasswordPrompts=1)
if command -v sshpass >/dev/null 2>&1; then
run_ssh() { local rc; SSHPASS="$P" sshpass -e ssh "${SSH_OPTS[@]}" "$@" || { rc=$?; [ "$rc" = 255 ] && logerr "syno SSH connect/auth failed (rc=255)" "host=$H vp=$VP"; return $rc; }; }
else
ASKPASS="$(mktemp)"; printf '#!/bin/sh\nprintf "%%s\\n" "$SYNO_SSH_PW"\n' > "$ASKPASS"; chmod +x "$ASKPASS"
trap 'rm -f "$ASKPASS"' EXIT
run_ssh() { local rc; SYNO_SSH_PW="$P" SSH_ASKPASS="$ASKPASS" SSH_ASKPASS_REQUIRE=force DISPLAY="${DISPLAY:-:0}" ssh "${SSH_OPTS[@]}" "$@" || { rc=$?; [ "$rc" = 255 ] && logerr "syno SSH connect/auth failed (rc=255)" "host=$H vp=$VP"; return $rc; }; }
fi
# The syno* CLI lives in /usr/syno/{bin,sbin}. The admin's interactive login PATH has
# these (so `plain` worked), but `sudo`'s secure_path drops them -> `priv` got
# "command not found" for synoshare/synouser/synoacltool/... Inject the dirs explicitly.
SYNO_PATH='/usr/syno/bin:/usr/syno/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin'
# privileged remote command: feed the admin password to `sudo -S`, with the syno bin dirs on
# PATH. Run via `sh -c` so shell operators (|, ||, ;) in the recipe all execute as root+PATH.
priv() { run_ssh "$U@$H" "echo '$P' | sudo -S -p '' env PATH='$SYNO_PATH' sh -c '$1'" 2>&1 | grep -v '^Password:' ; }
plain() { run_ssh "$U@$H" "export PATH='$SYNO_PATH':\$PATH; $1" 2>&1 | grep -viE 'Permanently added'; }
case "$RECIPE" in
info) plain 'uname -a; echo; cat /etc/synoinfo.conf 2>/dev/null | grep -iE "^(productversion|buildnumber|unique|upnpmodelname)" ; echo; cat /proc/meminfo | head -1';;
df) plain 'df -h | grep -E "Filesystem|/volume"';;
shares) priv 'synoshare --enum ALL';;
users) priv 'synouser --enum local';;
groups) priv 'synogroup --enum local';;
packages) plain 'synopkg list 2>/dev/null || ls /var/packages';;
services) # DSM 7.2 has no `synoservice`/synosystemctl list-all -> service enumeration is Web-API only.
echo "[INFO] service enumeration is Web-API only on DSM 7.2 (no synoservice CLI)."
echo " use: bash .claude/scripts/py.sh .claude/skills/synology/scripts/syno_client.py services";;
acl)
SHARE="${POS[1]:?acl needs a share name, e.g. acl Server}"
priv "synoacltool -get \"/volume1/$SHARE\"";;
reboot)
[ "$CONFIRM" = "1" ] || { echo "[BLOCKED] reboot the NAS — re-run with --confirm"; exit 2; }
echo "[INFO] rebooting $H via synoshutdown -r (Web-API 103 fallback)"; priv 'synoshutdown -r';;
shutdown)
[ "$CONFIRM" = "1" ] || { echo "[BLOCKED] shut down the NAS — re-run with --confirm"; exit 2; }
echo "[INFO] shutting down $H via synoshutdown -s"; priv 'synoshutdown -s';;
run)
CMD="${POS[1]:?run needs a quoted command}"
[ "$CONFIRM" = "1" ] || { echo "[BLOCKED] 'run' executes an arbitrary command on the NAS — re-run with --confirm"; echo " would run: $CMD"; exit 2; }
echo "[INFO] running on $U@$H: $CMD"
plain "$CMD";;
*) echo "[ERROR] unknown recipe: $RECIPE"; exit 2;;
esac
rc=$?
[ "$rc" -ne 0 ] && logerr "syno-ssh recipe '$RECIPE' failed (rc=$rc)" "host=$H"
exit $rc