View file File name : rush.rc Content :# Sample configuration file for rush, patterned on Debian habits, # and developed by the Debian package maintainer. # # Lines beginning with # and empty lines are ignored. # See `info rush' for a detailed description. # # $Rev: 61 $ # # Assumptions: # # /srv/rush/ is a chrootable directory, e.g. built # by debootstrap. Any user name must be # duplicated here, if allowed to use a # chrooted service, as declared below. # # /srv/rush/srv/svnroot/ are base directories for version control. # /srv/rush/srv/cvsroot/ Depending on type, the subdirectory is # /srv/rush/srv/gitroot/ the actual repository. # # /srv/rush/srv/incoming/{alpha,ftp} are download areas. # # The file README.Debian contains relevant comments on the settings here. # Set verbosity level. debug 1 # # Default settings # rule default acct on limits t10r20 umask 002 env - USER LOGNAME HOME PATH # # Uncomment this to activate the notification subsystem: # (Also install 'rush-notifier' or a similar script.) # #post-socket inet://localhost # fall-through ###################### # File moving services ###################### # Scp requests: only putting, no fetching. # # The server host needs the paths # # /srv/rush/srv/incoming/{alpha,ftp} # # and that they be writable! A specific # group can be assigned to all users # expected to gain access via GNU rush. rule scp-to command ^scp (-v )?-t( --)? /incoming/(alpha|ftp)/? set[0] /usr/bin/scp match[$] ! /\.\. transform[$] s,^/incoming/,, chroot /srv/rush chdir /srv/incoming # A trap rule for outbound scp requests rule scp-from command ^scp (-v )?-f exit Error: Secure copy from this server is not allowed # Sftp-server requests: chroot to the virtual server, change to the user's # home directory, set umask to 002 and execute only # /usr/lib/sftp-server. # # Setting for a chroot directory created using 'debootstrap'. # # Remark: The location '/usr/lib/' is inherited. rule sftp-rush command ^.*/sftp-server uid >= 1000 set[0] /usr/lib/sftp-server umask 002 chroot /srv/rush chdir ~ # The alternative chroot directory, now created using 'mkchroot-rush.pl'. # # Remark: The location '/usr/bin/' is generated. ##rule sftp-rush ## command ^.*/sftp-server ## uid >= 1000 ## set[0] /usr/bin/sftp-server ## umask 002 ## chroot /srv/rush ## chdir ~ # Rsync service: chroot to the virtual server, move to home directory, # and check paths, not to backtrack. # rule rsync-home command ^rsync --server uid >= 1000 set[0] /usr/bin/rsync match[$] ^~/.* match[$] ! \.\. transform[$] s,^~/,./, umask 002 chroot /srv/rush chdir ~ ############## # VCS services ############## # CVS connections # rule cvs command ^cvs server set[0] /usr/bin/cvs env CVSROOT=/srv/cvsroot chroot /srv/rush chdir /srv/cvsroot # Svn server: force full binary path and root directory. # rule svn-rush command ^svnserve -t transform s|-r *[^ ]*||;s|^svnserve |/usr/bin/svnserve -r /srv/rush/srv/svnroot | # Git services: allow only upload and fetch to repositories located under # /srv/gitroot/ rule git-rush command ^git-(receive|upload)-pack match[1] ^/gitroot/[^ ]+\.git/?$ transform[0] s|^|/usr/bin/| transform[1] s,/gitroot,/srv&, chroot /srv/rush chdir / # Trap the rest of Git requests: rule git-trap command ^git-(receive|upload)-pack exit fatal: access to this repository is denied.