GNU Rush – a restricted user shell (split by section):   Section:   Chapter:FastBack: Usage Tips   Up: Usage Tips   FastForward: Test Mode   Contents: Table of ContentsIndex: Concept Index

6.2 rsync

On the server side, rsync is executed with the --server command line option. In addition, when copying files from the server, the --sender option is used. This makes it possible to discern between incoming and outgoing requests.

In our setup, rsync is used the same way as scp, so the two rules will be:

rule rsync-incoming
  match $command ~ "^rsync --server" && \
        $command !~ --sender && \
        ${-1} ~ "/incoming/" && ${-1} !~ "\\.\\./"
  set [0] =~ "s|^|/usr/bin/|"
  set [-1] =~ "s|^|/home/ftp/|"

rule rsync-home
  match $command ~ "^rsync" && \
        ${-1} !~ "^[^/]" && \
        ${-1} !~ "\\.\\./"
  set [0] = "s|^|/usr/bin/|"
  set [-1] =~ "s|^|public_html/|"
  chdir "~"

The trap rules for rsync are trivial:

rule rsync-to-trap
  match $command ~ "^rsync.*--sender"
  exit "Error: Downloads from this directory prohibited"

rule rsync-from-trap
  match $command ~ "^rsync"
  exit "Error: Uploads to this directory prohibited"

GNU Rush – a restricted user shell (split by section):   Section:   Chapter:FastBack: Usage Tips   Up: Usage Tips   FastForward: Test Mode   Contents: Table of ContentsIndex: Concept Index