1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
# Sample configuration file for rush.
# Lines beginning with # and empty lines are ignored.
# See `info rush' for a detailed description.
rush 2.0
global
# Set verbosity level.
debug 1
rule default
limits t10r20
umask 002
clrenv
keepenv USER LOGNAME HOME PATH
setenv PATH="$PATH:/usr/local/bin"
fall-through
rule cvs
match $command ~ "^cvs server"
set [0] = "/usr/bin/cvs"
# Secure cp requests
rule scp-to
match $command ~ "^scp (-v )?-t /incoming/(alpha|ftp)"
set [0] = "/bin/scp"
chroot "/var/spool/sftp-upload"
chdir "/incoming"
# A trap rule for outbound scp requests
rule scp-from
match $command ~ "^scp (-v )?-f"
exit "Error: Secure copy from this server is not allowed"
# Svn server: force full binary path and root directory.
rule svn
match $command ~ "^svnserve -t"
set program = "/usr/bin/svnserve"
remopt r:
insert [1] = "-r"
insert [2] = "/svnroot"
# For git requests, allow access to repositories located under
# /vcs-roots/git
rule git
match $command ~ "^git-(receive|upload)-pack"
match $1 ~ "^/vcs-roots/git/[^ ]+\\.git$"
set command =~ "s|^|/usr/bin/|"
# Trap the rest of Git requests:
rule git-trap
match $command ~ "^git-(receive|upload)-pack"
exit "fatal: access to this repository is denied."
# Sftp-server requests: chroot into the user's home directory, set umask
# 002 and execute bin/sftp-server.
rule sftp
match $program ~ "^.*/sftp-server"
set [0] = "bin/sftp-server"
umask 002
chroot "~"
chdir "/"
|
