![[image of the Head of a GNU]](/graphics/gnu-head-sm.jpg)
|
|
GNU Rush |
Restricted User Shell |
Sergey Poznyakoff |
GNU Rush legacy configuration syntax (split by node): 
On the server side, rsync is executed with the
--server command line option. In addition, when copying
files from the server, the --sender option is used. This
makes it possible to discern between incoming and outgoing requests.
In our setup, rsync is used the same way as scp, so
the two rules will be:
rule rsync-incoming
match $command ~ "^rsync --server" && \
$command !~ --sender && \
${-1} ~ "/incoming/" && ${-1} !~ "\\.\\./"
set [0] =~ "s|^|/usr/bin/|"
set [-1] =~ "s|^|/home/ftp/|"
rule rsync-home
match $command ~ "^rsync" && \
${-1} !~ "^[^/]" && \
${-1} !~ "\\.\\./"
set [0] = "s|^|/usr/bin/|"
set [-1] =~ "s|^|public_html/|"
chdir "~"
The trap rules for rsync are trivial:
rule rsync-to-trap match $command ~ "^rsync.*--sender" exit "Error: Downloads from this directory prohibited" rule rsync-from-trap match $command ~ "^rsync" exit "Error: Uploads to this directory prohibited"
This document was generated on June 29, 2019 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.