![[image of the Head of a GNU]](/graphics/gnu-head-sm.jpg)
|
|
GNU Rush |
Restricted User Shell |
Sergey Poznyakoff |
| GNU Rush – a restricted user shell. (split by node): |  |
 |
 |
 |
 |
 |
 |
? |
To give you the feel of GNU Rush possibilities, let's consider the following configuration file rule:
rule sftp # Conditions: command ^.*/sftp-server uid >= 100 # Actions: transform[0] s,.*,bin/sftp-server, umask 002 chroot ~ chdir / |
The first clause, rule, defines a new rule. Its argument
serves as a rule tag, used for diagnostic messages and for accounting.
Lines beginning with ‘#’ are comments, they are intended for a
human reader and are ignored by rush.
The two statements that follow the comment, command and
uid, define conditions that must be met for this rule to become
active. The command statement introduces a regular expression
to match with the command line. In this example, the command line must
begin with ‘/sftp-server’, optionally preceded by arbitrary
directory components.
The uid statement tells that this rule applies only to users
whose UIDs are greater than or equal to 100.
Subsequent clauses define actions associated with this rule.
The transform[0] clause contains instructions on how to
modify the first argument of the command line (i.e. the command
name). These instructions are in the form of sed replace
expression (see section transformation expression). The
expression in our example instructs GNU Rush to replace the command name with
‘bin/sftp-server’(2).
The umask clause sets the file creation mask.
The chroot clause instructs GNU Rush to chroot to the user home
directory before executing the command.
Finally, the chdir statement sets the directory to change to
after installing the chroot.
In this particular case, the
set statement, introduced in GNU Rush version 1.6, is probably more
appropriate:
set[0] bin/sftp-server |
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.