[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU Rush 1.6

From: Sergey Poznyakoff
Subject: GNU Rush 1.6
Date: Tue, 10 Feb 2009 16:40:19 +0200

I am pleased to announce the release of GNU Rush version 1.6.

GNU Rush is a restricted user shell, designed for sites providing
limited remote access to their resources, such as, for example, It is set as a user login shell for users that are
allowed remote execution of commands on the machine. Using a flexible
configuration file, GNU Rush gives the system administrator complete
control over the command lines that users execute, and allows to impose
limits on the usage of system resources, such as virtual memory, CPU
time, etc. on a per-user basis. 

For more information on GNU Rush, visit

See below for a list of user-visible changes.

Here are the compressed sources:   (768KB)

Here are the GPG detached signatures[*]:

Here are the MD5 and SHA1 checksums:

32087472928220d0009fd65670d42741  rush-1.6.tar.gz
de211adabed3eb4b39d111b6bfc86d6b55482d28  rush-1.6.tar.gz

[*] You can use either of the above signature files to verify that
the corresponding file (without the .sig suffix) is intact.  First,
be sure to download both the .sig file and the corresponding tarball.
Then, run a command like this:

  gpg --verify rush-1.6.tar.gz.sig

If that command fails because you don't have the required public key,
then run this command to import it:

  gpg --keyserver --recv-keys 55D0C732

and rerun the `gpg --verify' command.

This release was bootstrapped with the following tools:
  Autoconf 2.61
  Automake 1.10.1
  Gnulib-tool 0.0.1577-5313a

List of user-visible changes follows:

* Patterns in `transform' statement

The syntax of the `transform' statement has been extended to
allow for specifying transformation argument string:

 transform STRING REGEX
 transform[N] STRING REGEX

STRING may contain meta-variables, which are expanded before
performing the transformation. The following meta-variables are

  ${user}             User name
  ${group}            Name of the user's principal group
  ${uid}              UID
  ${gid}              GID
  ${home}             User's home directory
  ${gecos}            User's GECOS field
  ${program}          Program name
  ${command}          Full command line
  $0 to $9            The value of the Nth command line argument
  ${N}                Same as above, useful if N > 9 or N < 0 (see
                      "Negative argument indexes", below).

Thus, for example:

  transform[0] s,.*/,/bin/,
is equivalent to:

  transform[0] $0 s,.*/,/bin/,
* The `map' statement.

This statement sets a command line argument using a map file.


Each line in a map file FILE contains fields, separated by delimiter
DELIM. The `map' statement looks for the record whose Kth field has
the value of KEY. If such a record is found, its Vth field becomes a
new value of the Nth command line argument. Othervise, if DEFAULT is
given, it is used as a new value. Otherwise, the argument retains its
old value.

KEY may contain meta-variables described above (see "Patterns in
`transform' statement").

* The `set' statement.

The `set' statement replaces entire command line with the new value:

rule foo
  set /bin/scp -t /upload

In indexed form, it replaces the given argument:

  set[0] /bin/scp

The argument to `set' may contain meta-variables (see "Patterns in
`transform' statement").
* The `delete' statement.

This statement deletes the given argument, or range of arguments, from
the command line. It has two forms:

1. Delete the Nth argument:


2. Delete all arguments between indexes N and M, inclusive:

  delete N M

* Modifying program name

To modify the program name (as opposed to argv[0]), use ^ pseudo-index, e.g.:

  set[^] /bin/scp

By default (unless [^] form is used) argv[0] is used as the program name.

* Negative argument indexes

Negative argument indexes refer to arguments numbered from the end of the
command line. E.g.:

  transform[-1]         is the same as transform[$]
  transform[-2]         will transform the last but one argument

* New statement `interactive'

This statement provides a replacement command line for the interactive use
of rush. By default, such use is prohibited. However, using
`interactive' statement you can allow some users a limited interactive
access. For example:

interactive *shell*

rule login
  command \*shell\*
  group rshell
  map[^] /usr/local/etc/ : ${user} 1 2 none
  transform[0] ${program} s,^.*/,-r,

* Use of predefined error messages in `exit' statement.

Predefined error messages can be used in `exit' statements.
E.g., the statement:

  exit @nologin-message

will retrieve the text of the `nologin-message' and send it to the
remote party before exiting.

If the message text must begin with a `@' sign, duplicate it:

  exit @@special error message


reply via email to

[Prev in Thread] Current Thread [Next in Thread]