GNU Rush – a restricted user shell (split by node):   Section:   Chapter:FastBack: Configuration File   Up: Rule   FastForward: Default Configuration   Contents: Table of ContentsIndex: Concept Index

4.4.6 System Actions

System actions provide an interface to the operating system.

rule: umask mask

Set the umask. The mask must be an octal value not greater than ‘0777’. The default umask is ‘022’.

rule: newgrp group-id
rule: newgroup group-id

Change the current group ID to group-id, which is either a numeric value or a name of an existing group.

rule: chroot dir

Change the root directory to that specified in dir. This directory will be used for file names beginning with ‘/’. The argument is subject to tilde, variable, and backreference expansions. During tilde expansion, a tilde (‘~’) at the start of string is replaced with the absolute pathname of the user’s home directory. The two other expansions are described in Variable expansion, and backreference.

The directory dir must be properly set up to execute the commands. For example, the following rule defines execution of sftp-server in an environment chrooted to the user’s home directory: 

rule sftp
  match $program ~ "^.*/sftp-server"
  set [0] = "bin/sftp-server"
  chroot "~"

For this to work, each user’s home must contain the directory bin with a copy of sftp-server in it, as well as all directories and files that are needed for executing it, in particular lib.

rule: chdir dir

Change to the directory dir. The argument is subject to tilde, variable (see Variable expansion), and backreference expansions (see backreference). If both chdir and chroot are specified, then chroot is applied first.

rule: limits res

Impose limits on system resources, as defined by res. The argument consists of commands, optionally separated by any amount of whitespace. A command is a single command letter followed by a number, that specifies the limit. The command letters are case-insensitive and coincide with those used by the shell ulimit utility:

CommandThe limit it sets
Amax address space (KB)
Cmax core file size (KB)
Dmax data size (KB)
Fmaximum file size (KB)
Mmax locked-in-memory address space (KB)
Nmax number of open files
Rmax resident set size (KB)
Smax stack size (KB)
Tmax CPU time (MIN)
Umax number of processes
Lmax number of logins for this user (see below)
Pprocess priority -20..20 (negative = high priority)

For example: 

limits T10 R20 U16 P20

If some limit cannot be set, execution of the rule aborts. In particular, the ‘L’ limit can be regarded as a condition, rather than an action. Setting limit Ln succeeds only if no more than n rush instances are simultaneously running for the same user. This can be used to limit the number of simultaneously open sessions.

The use of ‘L’ resource automatically enables forked mode. See Accounting and Forked Mode, for more information about it.

GNU Rush – a restricted user shell (split by node):   Section:   Chapter:FastBack: Configuration File   Up: Rule   FastForward: Default Configuration   Contents: Table of ContentsIndex: Concept Index

This document was generated on January 2, 2022 using makeinfo.

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.