![[image of the Head of a GNU]](/graphics/gnu-head-sm.jpg)
|
|
GNU Rush |
Restricted User Shell |
Sergey Poznyakoff |
GNU Rush – a restricted user shell (split by node): 
Sometimes it may be necessary to allow some group of users limited
access to interactive shells. GNU Rush contains provisions for such
usage. When rush is invoked without -c it assumes
interactive usage. In this case only rules explicitly marked as
interactive are considered, the rest of rules is ignored.
If bool is ‘true’, this statement marks the rule it appears
in as interactive. This rule will match only if rush is
invoked without command line arguments.
Unless command line transformations are applied, interactive rule
finishes by executing /bin/sh. The first word in the
command line (argv[0]) is normally set to the base name of
the command being executed prefixed by a dash sign.
Consider the following example:
rule login
interactive true
group rshell
map program /etc/rush.shell : ${user} 1 2
set [0] = ${program} ~ "s|^.*/||;s,^,-r,"
rule nologin
interactive true
exit You don't have interactive access to this machine.
The ‘login’ rule will match interactive user requests if the user
is a member of the group ‘rshell’. It uses
/etc/rush.shell to select a shell to use for that user
(see map). This map file consists of two fields, separated by a
colon. If the shell is found, its base name, prefixed with ‘-r’,
will be used as ‘argv[0]’ (this indicates a restricted login shell).
Otherwise, the trap rule ‘nologin’ will be matched, which will
output the given diagnostics message and terminate rush.
To test interactive access, use the -i option:
rush --test -i
GNU Rush – a restricted user shell (split by node):
This document was generated on January 2, 2022 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.