Restricted User Shell
The exit rule does not execute any commands. Instead, it writes the supplied error message to the specified file descriptor and exits immediately. The exit rule is defined using the following statement:
Write textual message message to a file descriptor, given by the optional argument fd. If fd is absent, ‘2’ (standard error) is used.
The message argument can be either a quoted string, or an identifier.
If it is a quoted string, it is subject to backreference interpretation and variable expansion prior to being used.
For example (note the use of line continuation character):
exit "\ \r\nYou are not allowed to execute that command.\r\n\ \r\nIf you think this is wrong, ask <firstname.lastname@example.org> for assistance.\r\n"
If message is an identifier, it must be the name of a predefined error message (see Error Messages). The corresponding message text will be printed. For example:
If the identifier does not match any predefined error message name,
an error of type ‘config-error’ is signaled and
Exit actions are useful for writing trap rules, i.e. the rules that are intended to trap incorrect or prohibited command lines and to return customized reply messages in such cases. Consider the following rule:
rule git match $program ~ "^git-.+" && $1 ~ "^/sources/[^ ]+\.git$" set command =~ "s|.*|/usr/bin/git-shell -c \"&\"|"
It allows the client to use only those Git repositories that are located under /sources directory4. If a user tries to access a repository outside this root, he will be returned a default error message, saying ‘You are not permitted to execute this command’ (see usage-error). You can, however, provide a more convenient message in this case. To do so, place the following after the ‘git’ rule:
rule git-trap match $command ~ "^git-.+" exit "fatal: Use of this repository is prohibited."
This rule will trap all git invocations that do not match the ‘git’ rule.
This document was generated on July 12, 2019 using makeinfo.Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.