GNU Rush – a restricted user shell (split by node):   Section:   Chapter:FastBack: Configuration File   Up: Global   FastForward: Default Configuration   Contents: Table of ContentsIndex: Concept Index

4.3.6 The include-security statement

Additional configuration can be included to the main configuration file using the include statement (see Include). Before inclusion, a number of checks is performed on the file to ensure it is safe to rely on it. These checks are configured using the following statement:

global: include-security list

Configure the security checks for include files. This statement takes a list of arguments, separated by white space. The following arguments are recognized:

all

Enable all checks.

owner

The file is not owned by root.

iwgrp
groupwritablefile

The file is group writable.

iwoth
worldwritablefile

The file is world writable.

dir_iwgrp
groupwritabledir

The file resides in a group writable directory.

dir_iwoth
worldwritabledir

The file resides in a world writable directory.

link

The file is a symbolic link to a file residing in a group or world writable directory.

Each of the above keywords may be prefixed by ‘no’, which reverses its meaning. The special keyword ‘none’ disables all checks. Each keyword adds or removes a particular test to the existing check list, which is initialized as described in security checks. Thus, the following statement results in all checks, except for the file ownership:

global
  include-security noowner

In the example below, the check list is first cleared by using the none statement, and then a set of checks is added to it:

global
  include-security none owner iwoth iwgrp

GNU Rush – a restricted user shell (split by node):   Section:   Chapter:FastBack: Configuration File   Up: Global   FastForward: Default Configuration   Contents: Table of ContentsIndex: Concept Index