Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach

Florian Sager sager at agitos.de
Sat Mar 12 08:45:54 UTC 2022 

Hi,

I gave up using rrsync some years ago because of
a) potential security issues with path references that can occur within 
the rsync execution in the call of rrsync
b) possibly unmatched rsync options (rrsync must be kept up-to-date to 
match new options _and_ some options need to be intentionally removed 
that may be required)

So my solution on this is:

- a login script (with suid bit in my case)

- that creates/starts a docker image that limits path access and maps 
libs / rsync binary to be available in a limited environment, e.g. "alpine"

DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only 
--rm --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro 
-v /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
$DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE 
$SSH_ORIGINAL_COMMAND 2>/dev/null

If anybody sees security problems with this approach please tell us.

Best regards
Florian



Am 12.03.22 um 07:36 schrieb Bri Hatch via rsync:
>
>
> On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
> <rsync at lists.samba.org> wrote:
>
>     Rsync includes a script named rrsync that handles this perfectly.
>
>
> And authprogs provides similar functionality, though you use yaml to 
> define what is/isn't allowed. However it does allow you to use one SSH 
> identity for potentially many different source dirs rather than 
> requiring a separate authorized_key entry for each forced command.
>
> example:
>
> - rule_type: rsync
>       allow_donwload: true
>       allow_recursive: true
>       paths:
>         - /etc
>         - /srv/freezeray
>       path_startswith:
>         - /srv/web
>
> https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules
>
>
>
>     On 3/12/22 01:08, Richard Hector via rsync wrote:
>     > On 12/03/22 18:38, Richard Hector via rsync wrote:
>     >> And I do my backups (using dirvish) as root, using a key with a
>     forced
>     >> command.
>     >
>     > FWIW, that forced command is here:
>     >
>     > https://github.com/rwhector/dirvish-forced-command
>     >
>     > It's rather unpolished and undocumented, but comments very
>     welcome :-)
>     >
>     > I've also had an issue due to some server-side-only arguments to
>     rsync
>     > being undocumented, which means I can't validate them, and
>     basically
>     > have to accept anything ... I'd love to know why this is or has
>     to be
>     > the case :-) I didn't get any particularly useful answers back in
>     > January 2019 ...
>     >
>     > Cheers,
>     > Richard
>     >
>
>     -- 
>     ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>             Kevin Korb                      Phone:    (407) 252-6853
>             Systems Administrator           Internet:
>             FutureQuest, Inc. Kevin at FutureQuest.net  (work)
>             Orlando, Florida kmk at sanitarium.net (personal)
>             Web page: https://sanitarium.net/
>             PGP public key available on web site.
>     ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>
>     -- 
>     Please use reply-all for most replies to avoid omitting the
>     mailing list.
>     To unsubscribe or change options:
>     https://lists.samba.org/mailman/listinfo/rsync
>     Before posting, read:
>     http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
> -- 
> Bri Hatch
>
> "Quite mad, they say. It is good that Zathras does not mind. He's even 
> grown
>  to like it. Oh yes."
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20220312/ee649dc4/attachment.htm>

More information about the rsync mailing list