1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
# Sample configuration file for rush, patterned on Debian habits,
# and developed by the Debian package maintainer.
#
# Lines beginning with # and empty lines are ignored.
# See `info rush' for a detailed description.
#
# Assumptions:
#
# /srv/rush/ rush will chroot to this directory before
# doing the requested operation (provided it
# is allowed by this config). It should contain
# at least the following directories:
# bin cvsroot dev etc
# gitroot home incoming lib
# lib64 svnroot usr var
# All binaries are supposed to reside in bin.
# /srv/rush/home Directory for hosting home directories
# of users that are allowed to use the
# chrooted service, as declared below.
#
# /srv/rush/srv/svnroot/ are base directories for version control.
# /srv/rush/srv/cvsroot/ Depending on type, the subdirectory is
# /srv/rush/srv/gitroot/ the actual repository.
#
# /srv/rush/srv/incoming/{alpha,ftp} are download areas.
#
# The file README.Debian contains relevant comments on the settings here.
# Use modern configuration syntax
rush 2.0
# Global settings
global
# This setting is most useful when deploying a new configuration.
# Decrease it if the resulting log is too verbose for you.
debug 2
#
# Default settings
#
rule default
acct on
limits t10 r20
umask 002
clrenv
keepenv USER LOGNAME HOME
setenv PATH = "/bin"
chroot "/srv/rush"
#
# Uncomment this to activate the notification subsystem:
# (Also install 'rush-notifier' or a similar script.)
#
#post-socket "inet://localhost"
#
fall-through
######################
# File moving services
######################
# Scp requests: only putting, no fetching.
#
# The server host needs the paths
#
# /srv/rush/srv/incoming/{alpha,ftp}
#
# and that they be writable! A specific
# group can be assigned to all users
# expected to gain access via GNU rush.
rule scp-to
match $command ~ "^scp (-v )?-t( --)? /incoming/(alpha|ftp)/?" && \
${-1} !~ "/\\.\\."
set program = "/bin/scp"
set [-1] =~ "s,^/incoming/,,"
chdir "/incoming"
# A trap rule for outbound scp requests
rule scp-from
match $command ~ "^scp (-v )?-f"
exit "Error: Secure copy from this server is not allowed"
# Sftp-server requests: chroot to the virtual server, change to the user's
# home directory, set umask to 002 and execute only /bin/sftp-server.
# For illustrative purposes, only users with uid greater than or equal to
# 1000 are allowed to use sftp. Adjust the match condition below if that's
# not what you need. Refer to
# https://www.gnu.org.ua/software/rush/manual/html_section/Rule.html
# for a detailed discussion of match statement and conditional expressions.
rule sftp-rush
match $command ~ "^.*/sftp-server" && $uid >= 1000
set program = "/bin/sftp-server"
umask 002
chdir "/home/$user"
# Rsync service: chroot to the virtual server, move to home directory.
# Take care to forbid jumping to parent directories.
rule rsync-home
match $command ~ "^rsync --server" && $uid >= 1000 && \
${-1} !~ "^/" && ${-1} !~ "\\.\\./"
set program = "/bin/rsync"
set [-1] =~ "s,^~/,./,"
umask 002
chdir "/home/$user"
##############
# VCS services
##############
# CVS connections
# Requesters shouls use full repository names, e.g.
# cvs -d :ext:myname@server:/cvsroot co project
rule cvs
match $command ~ "^cvs server"
set program = "/bin/cvs"
setenv CVSROOT = "/srv/cvsroot"
chdir "/cvsroot"
# Svn server: force full binary path and root directory.
# Requesters are supposed to use relative repository names, e.g.:
# svn checkout svn+ssh://myname@server/coolproject
# will check out from the repository /srv/rush/svnroot/coolproject.
rule svn-rush
match $command ~ "^svnserve -t"
remopt r:
set [0] = "/bin/svnserve"
insert [1] = "-r"
insert [2] = "/svnroot"
chdir "/"
# Git services: allow only uploads to and fetches from repositories located
# under /srv/gitroot/. As with svn, requesters should use relative repository
# names, e.g.:
# git clone ssh://myname@server/coolproject.git
rule git-rush
match $command ~ "^git-(receive|upload)-pack" && \
$1 ~ "^/[^/ ]+\\.git$"
set [0] =~ "s|^|/bin/|"
set [-1] =~ "s|^|/gitroot|"
chdir "/"
# Trap the rest of Git requests:
rule git-trap
match $command ~ "^git-(receive|upload)-pack"
exit "fatal: access to this repository is denied."
|
