Current File : //etc/rush.rc

# Sample configuration file for rush, patterned on Debian habits,
# and developed by the Debian package maintainer.
#
# Lines beginning with # and empty lines are ignored.
# See `info rush' for a detailed description.
#
# $Rev: 61 $
#
# Assumptions:
#
#    /srv/rush/                 is a chrootable directory, e.g. built
#                               by debootstrap. Any user name must be
#                               duplicated here, if allowed to use a
#                               chrooted service, as declared below.
#
#    /srv/rush/srv/svnroot/     are base directories for version control.
#    /srv/rush/srv/cvsroot/     Depending on type, the subdirectory is
#    /srv/rush/srv/gitroot/     the actual repository.
#
#    /srv/rush/srv/incoming/{alpha,ftp}   are download areas.
#
# The file README.Debian contains relevant comments on the settings here.

# Set verbosity level.

debug 1

#
# Default settings
#

rule default
  acct on
  limits t10r20
  umask 002
  env - USER LOGNAME HOME PATH
  #
  # Uncomment this to activate the notification subsystem:
  # (Also install 'rush-notifier' or a similar script.)
  #
  #post-socket inet://localhost
  #
  fall-through

######################
# File moving services
######################

# Scp requests: only putting, no fetching.
#
# The server host needs the paths
#
#   /srv/rush/srv/incoming/{alpha,ftp}
#
# and that they be writable! A specific
# group can be assigned to all users
# expected to gain access via GNU rush.

rule scp-to
  command ^scp (-v )?-t( --)? /incoming/(alpha|ftp)/?
  set[0] /usr/bin/scp
  match[$] ! /\.\.
  transform[$] s,^/incoming/,,
  chroot /srv/rush
  chdir /srv/incoming

# A trap rule for outbound scp requests

rule scp-from
  command ^scp (-v )?-f
  exit Error: Secure copy from this server is not allowed

# Sftp-server requests: chroot to the virtual server, change to the user's
#                       home directory, set umask to 002 and execute only
#                       /usr/lib/sftp-server.
#
# Setting for a chroot directory created using 'debootstrap'.
#
# Remark: The location '/usr/lib/' is inherited.

rule sftp-rush
  command ^.*/sftp-server
  uid >= 1000
  set[0] /usr/lib/sftp-server
  umask 002
  chroot /srv/rush
  chdir ~

# The alternative chroot directory, now created using 'mkchroot-rush.pl'.
#
# Remark: The location '/usr/bin/' is generated.

##rule sftp-rush
##  command ^.*/sftp-server
##  uid >= 1000
##  set[0] /usr/bin/sftp-server
##  umask 002
##  chroot /srv/rush
##  chdir ~

# Rsync service: chroot to the virtual server, move to home directory,
#                and check paths, not to backtrack.
#

rule rsync-home
  command ^rsync --server
  uid >= 1000
  set[0] /usr/bin/rsync
  match[$] ^~/.*
  match[$] ! \.\.
  transform[$] s,^~/,./,
  umask 002
  chroot /srv/rush
  chdir ~

##############
# VCS services
##############

# CVS connections
#

rule cvs
  command ^cvs server
  set[0] /usr/bin/cvs
  env CVSROOT=/srv/cvsroot
  chroot /srv/rush
  chdir /srv/cvsroot

# Svn server: force full binary path and root directory.
#

rule svn-rush
  command ^svnserve -t
  transform s|-r *[^ ]*||;s|^svnserve |/usr/bin/svnserve -r /srv/rush/srv/svnroot |

# Git services: allow only upload and fetch to repositories located under
#               /srv/gitroot/

rule git-rush
  command ^git-(receive|upload)-pack
  match[1] ^/gitroot/[^ ]+\.git/?$
  transform[0] s|^|/usr/bin/|
  transform[1] s,/gitroot,/srv&,
  chroot /srv/rush
  chdir /

# Trap the rest of Git requests:

rule git-trap
  command ^git-(receive|upload)-pack
  exit fatal: access to this repository is denied.