GNU Rush |
|
Restricted User Shell |
Sergey Poznyakoff |
Sometimes it may be necessary to allow some group of users limited
access to interactive shells. GNU Rush contains provisions for such
usage. When rush
is invoked without -c it assumes
interactive usage. In this case only rules explicitly marked as
interactive are considered, the rest of rules is ignored.
This statement marks the rule it appears in as interactive. This rule
will match only if rush
is invoked without command line
arguments.
Unless command line transformations are applied, interactive rule
finishes by executing /bin/sh
. The first word in the
command line (argv[0]
) is normally set to the basename of
the command being executed prefixed by a dash sign.
Consider the following example:
rule login interactive group rshell map[^] /etc/rush.shell : ${user} 1 2 transform[0] ${program} s,^,-r, rule nologin interactive exit You don't have interactive access to this machine.
The ‘login’ rule will match interactive user requests if the user
is a member of the group ‘rshell’. It uses
/etc/rush.shell to select a shell to use for that user
(see map). This map file consists of two fields, separated by a
colon. If the shell is found, its base name, prefixed with ‘-r’,
will be used as ‘argv[0]’ (this indicates a restricted login shell).
Otherwise, the trap rule ‘nologin’ will be matched, which will
output the given diagnostics message and terminate rush
.
To test interactive access, use the -i option:
rush --test -i
This document was generated on June 29, 2019 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.