GNU Rush – a restricted user shell. (split by node): Section: Back: 4.2 Rule Forward: 4.2.2 Transformations Chapter: FastBack: 4. Configuration File Up: 4.2 Rule FastForward: 5. Default Configuration Doc: Contents: Table of Contents Index: Concept Index   ?

4.2.1 Conditions

These statements define conditions that are used to match the rule with the request. A rule may contain any number of conditions. All conditions are tested in order of their appearance in the rule and are tied together using boolean shortcut ‘and’ evaluation: if any of them yields false, the rest is not evaluated and control is transferred to the subsequent rule.

Rule Config: command regex

True, if the current command line matches regular expression regex.

For example:

 
command ^scp (-v )?-t /incoming/(alpha|ftp)

By default, POSIX extended regular expressions are used. This, however can be changed using regex statement (see section Regex).

Rule Config: match[n] regexp

True, if nth word from the command line matches regular expression regexp. Notice, that square brackets form part of the statement syntax. A special value ‘$’ can be used instead of n to denote the last word. Unless changed by previous regex statement (see section Regex), POSIX extended regular expressions are used.

The command line is split into words using the same rules as used in /bin/sh.

For example, the condition below yields true if the last argument is an absolute path name:

 
match[$] ^/.*
Rule Config: argc op num

Compare the number of command line arguments to num. The comparison operator is given by op, which can be one of the following: ‘=’ (or ‘==’), ‘!=’, ‘<’, ‘<=’, ‘>’, ‘>=’.

For example, the following condition matches if the number of arguments is less than 3:

 
argc < 3
Rule Config: uid [op] user-id

Compare current UID to user-id. The latter may be either a numeric UID or a name of an existing user.

The comparison operator is given by optional op, which can be one of the following: ‘=’ (‘==’), ‘!=’, ‘<’, ‘<=’, ‘>’, ‘>=’. If op is not given, equality (‘==’) is assumed.

Examples:

 
uid smith
Rule Config: gid op group-id

Compare current GID to group-id, which is either a numeric value or a name of an existing group.

The comparison operator is given by op, which can be one of the following: ‘=’ (‘==’), ‘!=’, ‘<’, ‘<=’, ‘>’, ‘>=’. If op is not given, equality (‘==’) is assumed.

Rule Config: user names

Argument is a whitespace-separated list of user names. This condition yields true, if the user name matches one of the listed names. String comparisons are case-sensitive.

Rule Config: group names

Argument is a whitespace-separated list of group names. This condition yields true, if the the name of any group the user is a member of matches one of listed names. String comparisons are case-sensitive.

For example, to match users from groups ‘admin’ and ‘root’:

 
group admin root

Each condition allows for a negated form, by placing an exclamation sign between the condition keyword and expression. For example:

command ^scp

True, if the command line begins with ‘scp’.

command ! ^scp

True if the command line does not begin with ‘scp’.

GNU Rush – a restricted user shell. (split by node): Section: Back: 4.2 Rule Forward: 4.2.2 Transformations Chapter: FastBack: 4. Configuration File Up: 4.2 Rule FastForward: 5. Default Configuration Doc: Contents: Table of Contents Index: Concept Index   ?
This document was generated by Sergey Poznyakoff on July, 8 2010 using texi2html 1.78.

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.