1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
# Sample configuration file for rush, patterned on Debian habits,
# and developed by the Debian package maintainer.
#
# Lines beginning with # and empty lines are ignored.
# See `info rush' for a detailed description.
#
# $Rev: 61 $
#
# Assumptions:
#
# /srv/rush/ is a chrootable directory, e.g. built
# by debootstrap. Any user name must be
# duplicated here, if allowed to use a
# chrooted service, as declared below.
#
# /srv/rush/srv/svnroot/ are base directories for version control.
# /srv/rush/srv/cvsroot/ Depending on type, the subdirectory is
# /srv/rush/srv/gitroot/ the actual repository.
#
# /srv/rush/srv/incoming/{alpha,ftp} are download areas.
#
# The file README.Debian contains relevant comments on the settings here.
# Set verbosity level.
debug 1
#
# Default settings
#
rule default
acct on
limits t10r20
umask 002
env - USER LOGNAME HOME PATH
#
# Uncomment this to activate the notification subsystem:
# (Also install 'rush-notifier' or a similar script.)
#
#post-socket inet://localhost
#
fall-through
######################
# File moving services
######################
# Scp requests: only putting, no fetching.
#
# The server host needs the paths
#
# /srv/rush/srv/incoming/{alpha,ftp}
#
# and that they be writable! A specific
# group can be assigned to all users
# expected to gain access via GNU rush.
rule scp-to
command ^scp (-v )?-t( --)? /incoming/(alpha|ftp)/?
set[0] /usr/bin/scp
match[$] ! /\.\.
transform[$] s,^/incoming/,,
chroot /srv/rush
chdir /srv/incoming
# A trap rule for outbound scp requests
rule scp-from
command ^scp (-v )?-f
exit Error: Secure copy from this server is not allowed
# Sftp-server requests: chroot to the virtual server, change to the user's
# home directory, set umask to 002 and execute only
# /usr/lib/sftp-server.
#
# Setting for a chroot directory created using 'debootstrap'.
#
# Remark: The location '/usr/lib/' is inherited.
rule sftp-rush
command ^.*/sftp-server
uid >= 1000
set[0] /usr/lib/sftp-server
umask 002
chroot /srv/rush
chdir ~
# The alternative chroot directory, now created using 'mkchroot-rush.pl'.
#
# Remark: The location '/usr/bin/' is generated.
##rule sftp-rush
## command ^.*/sftp-server
## uid >= 1000
## set[0] /usr/bin/sftp-server
## umask 002
## chroot /srv/rush
## chdir ~
# Rsync service: chroot to the virtual server, move to home directory,
# and check paths, not to backtrack.
#
rule rsync-home
command ^rsync --server
uid >= 1000
set[0] /usr/bin/rsync
match[$] ^~/.*
match[$] ! \.\.
transform[$] s,^~/,./,
umask 002
chroot /srv/rush
chdir ~
##############
# VCS services
##############
# CVS connections
#
rule cvs
command ^cvs server
set[0] /usr/bin/cvs
env CVSROOT=/srv/cvsroot
chroot /srv/rush
chdir /srv/cvsroot
# Svn server: force full binary path and root directory.
#
rule svn-rush
command ^svnserve -t
transform s|-r *[^ ]*||;s|^svnserve |/usr/bin/svnserve -r /srv/rush/srv/svnroot |
# Git services: allow only upload and fetch to repositories located under
# /srv/gitroot/
rule git-rush
command ^git-(receive|upload)-pack
match[1] ^/gitroot/[^ ]+\.git/?$
transform[0] s|^|/usr/bin/|
transform[1] s,/gitroot,/srv&,
chroot /srv/rush
chdir /
# Trap the rest of Git requests:
rule git-trap
command ^git-(receive|upload)-pack
exit fatal: access to this repository is denied.
|
