NAME

rush.rc - configuration rules for remote user shell

DESCRIPTION

The file /etc/rush.rc contains a set of rules that the rush(8) shell uses in order to determine whether the user is allowed to execute the requested command and to set up the environment for its execution.

Empty lines are ignored. Lines beginning with a pound sign are comments and are ignored as well.

Except for comments and empty lines, each line of the configuration file consists of the keyword and optional value, and constitutes a statement. Exceedingly long lines may be split across multiple physical lines, by ending each line with a backslash immediately followed by a newline. Statements fall into two major classes: section and regular statements. A section statement serves as a container for one or more regular statements that pursue the same goal, thus playing the role of a chapter in a book. A regular statement modifies a certain aspect of the program's behavior.

The overall file structure is as follows:





rush 2.0
global
  keyword value
  ...
rule A
  keyword value
  ...
  
rule B
  keyword value
  ...

A configuration file must begin with a rush statement indicating the version of the syntax this file uses. Current versions of rush implement syntax version 2.0. In the absence of the initial rush statement, the program will treat the configuration file as written in legacy configuration syntax (see http://www.gnu.org.ua/software/rush/manual/1.x for details).

There are two section statements: global and rule. The global section contains statements configuring the behavior of the program in general. There can be as many global statements in the configuration as you consider necessary, each of them affecting the material up to the next global statement, or end of the file, whichever occurs first.

Examples of statements that can be used in a global section are: debug, which sets the debug verbosity level, message, which configures error messages, etc. See the global section for the full list.

One or more rule statements constitute the core of the configuration. Each rule statement provides a recipe for serving a specific class of input commands. When rush is invoked with a specific command, it will scan the configuration file looking for a rule that matches the requested command line. If such a rule is found, it will be applied. Commands that don't match any rule will be rejected.

A rule statement may be followed by a tag, an arbitrary sequence of non-whitespace characters serving as a label for this rule. This sequence will be used in diagnostic messages to identify this rule. In the absence of user-supplied tag, the default one will be generated, consisting of the # symbol followed by the ordinal number of the rule in the configuration file (started with 1).

To match a particular command, each rule should contain the match statement. Its argument is a conditional expression that can contain comparison and boolean operators. The operands can refer to the command line using shell-like variables: $command to refer to the entire command line, $#, referring to the number of arguments in the command line (the command itself being counted as one of the arguments), $0 meaning the command name, and $1, $2, etc., referring to the particular command line arguments (arguments past the ninth one can be accessed as, e.g. ${10}). For example, the following rule:





rule
  match $command == "ls"

will match only the ls command without arguments.

The ~ (tilde) operator denotes regular expression matching. For example, the following rule matches ls command, optionally preceded with any path prefix:





rule
  match $0 ~ "^(.*/)?ls$"

Match expressions can contain terms of arbitrary complexity. Consider the following example:





rule
  match $0 ~ "^(.*/)?ls$" && $# == 2 \
        && $1 !~ "^(/|/etc)$"

This rule will match any ls command having exactly one argument, unless that argument is / or /etc. Notice the use of the !~ operator to denote the negated regular expression matching, and the use of backslash to split a single expression across two physical lines.

Variables are referenced using the same syntax as in shell. For example, ${1:-/bin} expands to the value of the first parameter, if it is supplied, or to the string "/bin" otherwise. For details. see the section REFERENCE: VARIABLE EXPANSION.

Although important, the match statement is not mandatory in a rule statement. If it is absent, the rule will match any command line. This is normally used in fall-through rules. A fall-through rule applies modifications to the command environment. After applying such rule, the scanning resumes at the rule that follows it. Fall-through rules are marked with the fall-through statement.

set

A rule can modify the command line and environment in which it will be executed. The set statement is provided for altering the command line or its parts. It takes three arguments: the variable name or index, the operator and the value. For example, the statement:





set command = "/bin/sftp-server -u 002"

replaces the entire command line. To replace particular arguments, use the [N] syntax, where N is the index of the argument in the command line. For example, to set the first argument:





set [1] = "/tmp"

The part to the right of the equals sign can contain a transformation, i.e. a string followed by the ~ operand and a s-expression of the form s/regexp/replacement /[flags]. Parenthesized groups in regexp can be referred to in replacement using the backreference construct \N, where N is the 1-based ordinal number of the group. For example, the following statement sets the second argument to the directory part of the first one:





set [2] = "$1" ~ "s/(.*)\\//\\1/"

Two points are worth noticing. First, the left operand of ~ undergoes variable expansion. Secondly, the right-hand side operand is quoted and therefore each backslash in it has to be escaped.

The special operator =~ is used if the resulted value is assigned to the same variable that served as its argument. For example, the two statements below are equivalent:





set [1] =~ "s/(.*)\\//\\1/"
set [1] = "$1" ~ "s/(.*)\\//\\1/"

Parenthesized groups matched by the most recent set statement remain available for use in the statements that follow it in the rule. To refer to the group from the recent matching, use the following construct: %N. For example, the following two statements set the first argument to the directory part, and second argument to the base name of the original $1 value:





set [1] =~ "s/(.*)\\/(.*)/\\1/"
set [2] = %2

The set statement operates not only on positional arguments and built-in variables, but also on arbitrary user-defined variables. A user-defined variable springs into existence when it first appears as a left-hand side argument to the set statement. The name of the variable must follow the usual rules for variable names: it must begin with an alphabetical character or underscore and contain only letters, digits and underscores. References to user-defined variables follow the same syntax as for built-in ones.

The following example uses temporary variable temp to swap two arguments:





set temp = $1
set [1] = $2
set [2] = $temp

unset

Variable definitions can be removed using the unset statement. It takes variable name or positional argument index as its argument:





unset temp

When index is given, the corresponding positional argument is removed and all arguments to the right of it are shifted one position left to occupy the released slot. For example, given the command line





scp -d -v -t /incoming

the statement





unset 1

will reduce it to





scp -v -t /incoming

delete

The delete statement provides a generalization of unset for positional arguments. It takes one or two argument indexes as arguments. When used with one index, it provides the same functionality as unset. When two indices are given, it deletes all arguments between those indices (inclusive). For example, the statement





delete 1 2

will change the command line from the above example to





scp -t /incoming

Using negative indices, one can indicate arguments counting from right to left. Thus, the following will delete all arguments starting from the third:





delete 3 -1

remopt

Whereas delete and unset remove arguments at given positions, the remopt statement allows you to remove specific command line options from the command line. This is useful to ensure no potentially harmful options can be passed by the user. The statement takes one or two arguments. First argument supplies the short option letter. For example, the following removes all occurrences of the -A option:





remopt A

If there is a long-option equivalent, it can be supplied as the second argument. For example, if --all is an alias for -A, the above statement would be rewritten as:





remopt A all

Notice, that the initial dash or double-dash is omitted from both the short and long option designation.

When looking for long option in the command line, remopt will recognize its possible abbreviations. In the example above, eventual occurrences of --al will be removed as well.

If the option takes an argument, follow the first argument by a colon. For example, to remove occurrences of the options -r along with its arguments write





remopt r:

The long option equivalent can be specified as well, e.g.:





remopt r: root

This will recognize all possible ways of option usage in the command line, such as: -r ARG, -rARG, --root=ARG, or --root ARG. -afr ARG In each case, both the option and its argument will be removed, so that the modified command line will remain valid. Short option appearing in a cluster will be recognized, .e.g -afr ARG will be replaced by -af. Finally, if the option takes an optional argument, follow its short letter by two colons, as in:





remopt r:: root

insert

Arguments can also be inserted at arbitrary positions. The insert statement is provided for this purpose. Its syntax is similar to set:





insert [N] = value

and





insert [N] = value ~ s/regex/replace/

where N is the position where to insert the new argument. All arguments starting from Nth will be shifted one position to the right, and the value will be stored in the Nth slot. In the second form, the value to be inserted is computed by applying the replacement expression to value.

REFERENCE: LEXICAL STRUCTURE

A statement consists of a keyword and arguments, separated by any amount of whitespace. Arguments can be one of the following:

Identifiers

Identifiers begin with a letter and consist of letters, digits, underscores and dashes. They serve as keywords and variable names.

Decimal numbers

A sequence of decimal digits, optionally preceded by a minus or plus sign.

Unquoted strings

An unquoted string is any contiguous sequence of any characters, except newlines, whitespace and the following special characters: \, ", !, =, <, >, (, ), {, }, [, ], $, %, &, |, ~, #.

Quoted strings

A quoted string is a sequence of characters enclosed in double-quotes. Quoted strings are subject to backslash interpretation, backreference interpretation and variable expansion.

During backslash interpretation, the escape sequences are recognized and replaced as per table below:

	Sequence	Replaced with
	\a	Audible bell character (ASCII 7)
	\b	Backspace character (ASCII 8)
	\f	Form-feed character (ASCII 12)
	\n	Newline character (ASCII 10)
	\r	Carriage return character (ASCII 13)
	\t	Horizontal tabulation character (ASCII 9)
	\v	Vertical tabulation character (ASCII 11)
	\\	A single backslash
	\"	A double-quote.
	\%	Percent sign

In addition, the sequence \newline is removed from the string. This allows to split long strings over several physical lines.

During the backreference interpretation, references to parenthesized groups in regular expression are replaced with the actual content of the corresponding group in the most recently matched string. A reference is %{N} where N is a decimal number. If N is one digit, curly braces can be omitted: %N If the % character resulted from previous backslash interpretation, no backreference interpretation occurs.

Strings used in the left-hand side of a comparison expression are subject to variable expansion. This is discussed later.

Backreferences

The construct %{N} is replaced with the substring that matched the Nth parenthesized subgroup in a most recently performed regular expression match. If N is one digit, curly braces can be omitted.

Variable references

Variable references consist of a $ sign, followed by the positional argument number or variable name, optionally enclosed in curly braces. Positional arguments greater than 9 must be enclosed in curly braces. The variable name must follow the rules for valid identifiers: it must begin with a letter and consist of letters, digits and underscores. Variable name in curly braces can be followed by -, =, ?, or +, optionally preceded by : as summarized in the table below:

	Reference	Meaning
	${VAR:-WORD}	Use Default Values
	${VAR:=WORD}	Assign Default Values
	${VAR:?WORD}	Display Error if Null or Unset
	${VAR:+WORD}	Use Alternate Value

where WORD stands for any valid token as described in this section. See the section REFERENCE: VARIABLE EXPANSION, for a detailed discussion of these forms and their meaning.

Comparison and boolean operators

	&&	Boolean AND
	||	Boolean OR
	!	Boolean negation
	==	Equality (string or numeric)
	!=	Inequality (string or numeric)
	<	Less than
	<=	Less than or equal to
	>	Greater than
	>=	Greater than or equal to
	~	Regexp matching
	!~	Negated regexp matching
	in	Membership in set of strings
	group	Membership in UNIX group
	=	Assignment
	=~	Regular expression substitution

REFERENCE: VARIABLE EXPANSION

Most statements in the configuration file undergo variable expansion prior to their use. During variable expansion, references to variables in the string are replaced with their actual values. A variable reference has two basic forms:





$V
${V}

where V is either the name of the variable (request, environment, or user-defined), or the index of the positional variable. The notation in curly braces serves several purposes. First, it is obligatory if V is an index of the positional variable that is negative or greater than 9. Secondly, it should be used if the variable reference is immediately followed by an alphanumeric symbol, which will otherwise be considered part of it (as in ${home}dir). Finally, this form allows for specifying the action to take if the variable is undefined or expands to an empty value.

The following special forms are recognized:

${VARIABLE:-WORD}: Use Default Values. If VARIABLE is unset or null, the expansion of WORD is substituted. Otherwise, the value of VARIABLE is substituted.
${VARIABLE:=WORD}: Assign Default Values. If VARIABLE is unset or null, the expansion of WORD is assigned to the variable. The value of VARIABLE is then substituted.
${VARIABLE:?WORD}: Display Error if Null or Unset. If VARIABLE is null or unset, the expansion of WORD (or a message to that effect if WORD is not present) is output to the current logging channel. Otherwise, the value of VARIABLE is substituted.
${VARIABLE:+WORD}: Use Alternate Value. If VARIABLE is null or unset, nothing is substituted, otherwise the expansion of WORD is substituted.

REFERENCE: STATEMENTS

There are three global statements, two of which can contain multiple substatements:

rush 2.0: Declares the version of the syntax this configuration file is written in. This must be the first statement in the configuration file. If this statement is missing, the configuration file will be treated as legacy configuration file from previous versions of GNU rush. For the discussion of the legacy configuration file, please refer to http://www.gnu.org.ua/software/rush/manual/1.x.
global: Defines global settings.
rule [TAG]: Contains a set of rules for a certain class of input command lines.

global

Introduces global settings. This statement is followed by one or more substatements. Global settings end at the nearest rule statement that follows. They remain in effect until the next global statement is encountered which alters them.

The following statements may appear in this section.

expand-undefined BOOL

Controls how undefined variables are expanded. If BOOL is true, references to undefined variables are replaced with empty values. If it is false (the default), an error message is issued and program terminates.

Any of the following values can be used as a synonym for true: yes, on, t, 1.

The following values can be used as synonyms for false: no, off, nil, 0.

debug NUM

Set debugging level. The bigger NUM is, the more verbose is the logging. The debugging information is reported via syslog at facility authpriv, priority debug.

sleep-time NUM

Set the time in seconds to sleep before exiting on error. This statement is intended as a measure against brute-force attacks. Default sleep time is 5 seconds.

message CLASS TEXT

Define a textual message which is returned to the remote party if an error of the given CLASS occurs. Valid classes are:

usage-error: This error is reported when rush has been invoked improperly. The default text is:
"You are not permitted to execute this command."
nologin-error: A message which is returned if there is no such user name in the password database. Defaults to:
"You are not permitted to execute this command."
config-error: Define a textual message which is returned if the configuration file contained errors. Default is:
"Local configuration error occurred."
system-error: Define a textual message which is returned if a system error occurs. Default is:
"A system error occurred while attempting to execute command."

regexp FLAG [FLAG...]: Configure the type of regular expressions to be used by subsequent match, set, and insert statements. Each FLAG is a word specifying a regular expression feature. It can be preceded by a plus sing to enable this feature (this is the default), or by the minus sign to disable it. Valid flags are:

extended: Use POSIX Extended Regular Expression syntax when interpreting regex. This is the default.
basic: Use basic regular expressions. Equivalent to -extended.
icase or ignore-case: Do not differentiate case. Subsequent regex matches will be case insensitive.

include-security FLAG [FLAG...]: Configure the security checks for include files. Valid flags are:

all: Enable all checks.
owner: The file must be owned by root.
iwgrp or groupwritablefile: Forbid group writable files.
iwoth or worldwritablefile: Forbid world writable files.
dir_iwgrp or groupwritabledir: Forbid files that reside in group writable directories.
dir_iwoth or worldwritabledir: Forbid files that reside in world writable directories.
link: Forbid symbolic links to files residing in group or world writable directories.

Each of the above keywords can be prefixed by no, which reverses its meaning. The special keyword none disables all checks.

acct-umask MASK: Set umask used when accessing accounting database files. Default value is 022.
acct-dir-mode MODE: Set mode bits for the accounting directory. The argument is the mode in octal.
acct-file-mode MODE: Set mode bits for the wtmp and utmp files.

rule

Defines a rule. This is a block statement, which means that all statements located between it and the next rule statement (or end of file, whichever occurs first) modify the definition of that rule.

The syntax is:





rule TAG

Optional TAG argument supplies the identifier for that rule. It is used in diagnostic messages. If tag is missing, rush will supply a default one, which is constructed by concatenating the # character and the ordinal number of rule in the configuration file, in decimal notation. Rule numbering starts from 1.

A rule can contain the following statements:

match EXPR

Defines conditions that decide whether the rule matches the particular request. The EXPR argument is a comparison expression. It can be a simple comparison expression or a boolean expression involving several other expressions.

A simple expression is either a comparison or a membership test. A comparison has the general syntax





lhs op rhs

where lhs and rhs are operands and op is the operation. The lhs is either a string (quoted or unquoted), or a variable reference. The rhs is a string or number. Prior to evaluating simple expression, its LHS undergoes variable expansion. In contrast, the RHS operand is always treated verbatim.

The comparison operator OP is one of the following:

	==	Equality (string or numeric)
	!=	Inequality (string or numeric)
	<	Less than
	<=	Less than or equal to
	>	Greater than
	>=	Greater than or equal to
	~	Regexp matching
	!~	Negated regexp matching

Two membership tests are available. The in test has the form





LHS in ( STRING ... )

and evaluates to true if LHS matches one of the strings in parentheses. LHS undergoes variable expansion and backreference interpretation prior to comparison.

The group test has the following syntax:





group GRP

It returns true if the requesting user is a member of the group GRP. Several groups can be given in parentheses:





group (GRP ...)

in which case the test return true if the user is a member of at least one of the mentioned groups.

Compound boolean expression combine one or more expressions using logical operators

	&&	Boolean AND
	||	Boolean OR
	!	Boolean negation

set NAME = VALUE

Sets the variable NAME to VALUE, which undergoes backreference interpretation and variable expansion.

set [N] = VALUE

Sets the command line argument N to VALUE

set NAME = VALUE ~ S-EXPR

Applies the sed(1)-like search-and-replace expression S-EXPR to VALUE and assigns the result to the variable NAME. Both VALUE and S-EXPR are subject to variable expansion and backreference interpretation.

set [N] = VALUE ~ S-EXPR

Similar to the above, but assigns the result to the Nth command line argument.

set NAME =~ S-EXPR

This is a shortcut for





set NAME = $NAME ~ S-EXPR

i.e. it applies the search-and-replace expression S-EXPR to the current value of the variable NAME and stores the resulting string as its new value.

set [N] =~ S-EXPR

A shortcut for





set [N] = $N ~ S-EXPR

The S-EXPR, is a sed replace expression of the form:





s/REGEXP/REPLACE/[FLAGS]

where REGEXP is a regular expression, REPLACE is a replacement for each part of the input that matches REGEXP and optional FLAGS are flag letters that control the substitution. Both REGEXP and REPLACE are described in sed(1).

As in sed, you can give several replace expressions, separated by semicolons.

The supported FLAGS are:

g: Apply the replacement to all matches to the REGEXP, not just the first.
i: Use case-insensitive matching.
x: REGEXP is an extended regular expression.
NUMBER: Only replace the NUMBERth match of the REGEXP.

Notice, that the POSIX standard does not specify what should happen when you mix the g and NUMBER modifiers. Rush follows the GNU sed implementation in this regard, so the interaction is defined to be: ignore matches before the NUMBERth, and then match and replace all matches from the NUMBERth on.

Also notice, that usually S-EXPR is a quoted string, and as such it is subject to backslash interpretation. It is therefore important to properly escape backslashes, especially in the REPLACE part. E.g.





set bindir = $program ~ "s/(.*)\\//\\1/"

insert [N] = VALUE

Shift command line arguments starting from the Nth one position to the right and store VALUE in the Nth slot. VALUE is subject to variable expansion and backreference interpretation.

insert [N] = VALUE ~ S-EXPR

Shift command line arguments starting from the Nth one position to the right, apply S-EXPR to VALUE and store the result in the Nth slot. Both S-EXPR and VALUE are subject to variable expansion and backreference interpretation.

unset NAME

Unset the variable NAME.

unset N

Unset the positional argument N (an integer number greater than 0), shifting the remaining arguments one position left. This is the same as delete N.

remopt SOPT

Remove from the command line all occurrences of the short option described by SOPT. The SOPT argument is the short option letter, optionally followed by a colon if that option takes a mandatory argument, or by two colons if it takes an optional argument.

remopt SOPT LOPT

Same as the above. LOPT supplies the long option equivalent for the short option described by SOPT.

delete N

Delete Nth argument.

delete I J

Delete arguments between I and J, inclusive.

map NAME FILE DELIM KEY KN VN

This statement uses file lookup to find a new value for the variable NAME. The FILE argument supplies the name of the map file. It must begin with / or ~/. Before use, the file permissions and ownership are checked using the criteria supplied in the include-security statement (see the global section).

The map file consists of records, separated by newline characters. Each record, in turn, consists of fields, separated by characters listed in the DELIM argument. If it contains a space character, then fields may be delimited by any amount of whitespace characters (spaces and/or tabulations). Otherwise, exactly one character delimits fields. Fields within a record are numbered starting from 1.

The map action operates as follows. First, variable expansion and backreference interpretation is performed on the KEY argument. The result will be used as actual lookup key. Then, FILE is scanned for a record whose KNth field matches the lookup key. If such a record is found, the value of its VNth field is assigned to the variable. Otherwise, if DEFAULT is supplied, it is assigned to the variable. Otherwise, the variable remains unchanged.

map [N] FILE DELIM KEY KN VN DEFAULT

Same as above, but the result of the lookup is assigned to Nth argument.

The following statements modify command execution environment:

clrenv

Clear the environment.

keepenv NAME ...

Retain the listed variables. This statement should be used in conjunction with clrenv.

Argument is a whitespace delimited list of variables to retain. Each element in the list can be either a variable name, or a shell-style globbing pattern, in which case all variables matching that pattern will be retained, or a variable name followed by an equals sign and a value, in which case it will be retained only if its actual value equals the supplied one. For example, to retain only variables with names beginning with 'LC_':





keepenv "LC_*"

setenv NAME = VALUE

Set the environment variable NAME. The VALUE argument is subject to variable expansion and backreference interpretation.

For example, to modify the 'PATH' value:





setenv PATH = "$PATH:/opt/bin"

unsetenv NAME ...

Unset environment variables. See keepenv for a discussion of arguments.

evalenv STRING

Performs backslash interpretation, backreference interpretation and variable expansion on STRING and discards the result. This statement is similar to the shell's "colon" statement.

The following statements are system actions. They provide interface to the operating system.

umask MASK: Set the umask. The MASK must be an octal value not greater than 0777. The default umask is 022.
newgrp GROUP-ID: Change the current group ID to GROUP-ID, which is either a numeric value or a name of an existing group.
newgroup GROUP-ID: Alias to the above.
chroot DIR: Change the root directory to DIR. The argument is subject to tilde and variable expansions and backreference interpretation. During tilde expansion, a tilde at the start of string is replaced with the absolute pathname of the user's home directory.
chdir DIR: Change to the directory DIR. The argument is subject to tilde and variable expansions and backreference interpretation. If both chdir and chroot are specified, chroot is applied first.
limits RES: Impose limits on system resources, as defined by RES. The argument consists of commands, optionally separated by any amount of whitespace. A command is a single command letter followed by a number, that specifies the limit. The command letters are case-insensitive and coincide with those used by the shell ulimit utility:

A: max address space (KB)
C: max core file size (KB)
D: max data size (KB)
F: maximum file size (KB)
M: max locked-in-memory address space (KB)
N: max number of open files
R: max resident set size (KB)
S: max stack size (KB)
T: max CPU time (MIN)
U: max number of processes
L: max number of logins for this user (see below)
P: process priority -20..20 (negative = high priority)

If some limit cannot be set, execution of the rule aborts. In particular, the L limit can be regarded as a condition, rather than an action. Setting limit L5 succeeds only if no more than 5 rush instances are simultaneously running for the same user. This can be used to limit the number of simultaneously open sessions.

The use of L resource automatically enables forked mode. See the subsection Accounting and forked mode for details.

fall-through or fallthrough: Declare a fall-through rule. After evaluating such a rule, rush continues rule matching process from the next rule in the configuration. Any modifications to the request found in the fall-through rule take effect immediately, which means that subsequent rules will see modified command line and environment. Execution of any other actions found in the fall-through rule is delayed until a matching rule is found.
Fall-through rules are often used to set default values for subsequent rules.

Accounting and forked mode

GNU rush is able to operate in two modes, which we call default and forked. When operating in the default mode, the process image of rush itself is overwritten by the command being executed. Thus, when it comes to launching the requested command, the running instance of rush ceases to exist.

There is also another operation mode, which we call forked mode. When running in this mode, rush executes the requested command in a subprocess, and remains in memory supervising its execution. Once the command terminates, rush exits.

One advantage of the forked mode is that it allows you to keep accounting, i.e. to note who is doing what and to keep a history of invocations. The accounting, in turn, can be used to limit simultaneous executions of commands, as requested by the L command to limit statement (see above).

acct BOOL: Turn accounting mode on or off, depending on BOOL. The argument can be one of the following: yes, on, t, true, or 1, to enable accounting, and no, off, nil, false, 0, to disable it.
fork BOOL: Enable or disable forked mode. See acct for a description of BOOL. Enabling accounting turns the fork mode as well. This statement is mainly designed as a way of disabling the forked mode for a given rule.

Post-process notification

Rush can be configured to send a notification over INET or UNIX sockets, after completing user request. It is done using the following statement:

post-socket URL: Notify URL about completing the user request. This statement implies forked mode.

Allowed formats for URL are:

inet://HOSTNAME[:PORT]: Connect to remote host HOSTNAME using TCP/IP. HOSTNAME is the host name or IP address of the remote machine. Optional PORT specifies the port number to connect to. It can be either a decimal port number or a service name from /etc/services. If PORT is absent, tcpmux (port 1) is assumed.
unix://FILENAME or local://FILENAME: Connect to a UNIX socket FILENAME.

The notification protocol is based on TCPMUX (RFC 1078). After establishing connection, rush sends the rule tag followed by a CRLF pair. The rule tag acts as a service name. The remote party replies with a single character indicating positive (+) or negative (-) acknowledgment, optionally followed by a message of explanation, and terminated with a CRLF.

If positive acknowledgment is received, rush sends a single line, consisting of the user name and the executed command line, separated by a single space character. The line is terminated with a CRLF.

After sending this line, rush closes the connection.

The post-process notification feature can be used to schedule execution of some actions after certain rules.

Exit rule

exit FD TEXT

Write textual message TEXT to file descriptor FD.

exit TEXT

Write textual message TEXT to standard error. Similar to





exit 2 TEXT

In both cases the TEXT argument can be either a quoted string, or an identifier.

If it is a quoted string, it is subject to backreference interpretation and variable expansion.

If TEXT is an identifier, it must be the name of a predefined error message (see the list in the discussion of the message statement in global section, above).

Interactive access

Sometimes it may be necessary to allow some group of users limited access to interactive shells. GNU rush contains provisions for such usage. When it is invoked without '-c' it assumes interactive usage. In this case only rules explicitly marked as interactive are considered, the rest of rules is ignored.

interactive BOOL: If BOOL is true (see the acct statement above for allowed values), this statement marks the rule it appears in as interactive. This rule will match only if rush is invoked without command line arguments.

Unless command line transformations are applied, interactive rule finishes by executing /bin/sh. The first word in the command line (argv[0]) is normally set to the base name of the command being executed prefixed by a minus character.

An example





rule login
  interactive true
  group rshell
  map program /etc/rush.shell : ${user} 1 2
  set [0] = ${program} ~ "s|^.*/||;s,^,-r,"
rule nologin
  interactive true
  exit You don't have interactive access to this machine.

The login rule will match interactive user requests if the user is a member of the group rshell. It looks up the shell to use for this in the file /etc/rush.shell. This map file consists of two fields, separated by a colon. If the shell is found, its base name, prefixed with -r, will be used as argv[0] (this indicates a restricted login shell). Otherwise, the trap rule nologin will be matched, which will output the given diagnostics message and terminate rush.

Localization

The following statement allow you to provide translations (localizations) for the messages in your rush configuration:

locale NAME: Set the locale name. To specify empty locale, use "" as NAME (recall that empty locale name means to use the value of the environment variable 'LC_ALL' as locale name).
locale-dir NAME: Set the name of the locale directory.
text-domain NAME: Set the textual domain name.

An example:





rule l10n
  locale "pl_PL"
  text-domain "rush-config"
  fall-through

include

The include statement forces inclusion of the named file in that file location:

include FILE

The statement is evaluated when parsing the configuration file, which means that FILE undergoes only tilde expansion: the two characters ~/ appearing at the beginning of file name are replaced with the full path name of the current user's home directory.

If FILE is a directory, that directory is searched for a file whose name coincides with the current user name. If such a file is found, it is included.

In any case, if the named file does not exist, no error is reported, and parsing of the configuration file continues.

Before including the file rush checks if it is secure, using the criteria set in the include-security statement. See its description in the global section, above.

The include statement can be used only within a rule. The included file may not contain rule and global statements.

AUTHORS

Sergey Poznyakoff

BUG REPORTS

Report bugs to <bug-rush@gnu.org.ua>.

COPYRIGHT

Copyright © 2016-2019 Sergey Poznyakoff
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.