<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">Hi,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I gave up using rrsync some years ago
because of</div>
<div class="moz-cite-prefix">a) potential security issues with path
references that can occur within the rsync execution in the call
of rrsync<br>
</div>
<div class="moz-cite-prefix">b) possibly unmatched rsync options
(rrsync must be kept up-to-date to match new options _and_ some
options need to be intentionally removed that may be required)</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">So my solution on this is:<br>
<br>
- a login script (with suid bit in my case)<br>
<br>
</div>
<div class="moz-cite-prefix">- that creates/starts a docker image
that limits path access and maps libs / rsync binary to be
available in a limited environment, e.g. "alpine"<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">DOCKERRSYNC_BASE="/usr/bin/ionice -c 3
$DOCKERBIN run -i --read-only --rm --security-opt
no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro -v
/lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"</div>
<div class="moz-cite-prefix">$DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR
-w $SYNCDIR $DOCKERIMAGE $SSH_ORIGINAL_COMMAND 2>/dev/null<br>
</div>
<div class="moz-cite-prefix"><br>
If anybody sees security problems with this approach please tell
us.<br>
<br>
</div>
<div class="moz-cite-prefix">Best regards<br>
Florian<br>
</div>
<br>
<br>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Am 12.03.22 um 07:36 schrieb Bri Hatch
via rsync:<br>
</div>
<blockquote type="cite"
cite="mid:CAE32uS4SFjTYYOG3GBudSjs1ZU-Fd1S-+S6D_YYbyoSNPcycMg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Mar 11, 2022 at
10:22 PM Kevin Korb via rsync <<a
href="mailto:rsync@lists.samba.org" moz-do-not-send="true"
class="moz-txt-link-freetext">rsync@lists.samba.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Rsync includes a script
named rrsync that handles this perfectly.<br>
</blockquote>
<div><br>
</div>
<div>And authprogs provides similar functionality, though you
use yaml to define what is/isn't allowed. However it does
allow you to use one SSH identity for potentially many
different source dirs rather than requiring a separate
authorized_key entry for each forced command.</div>
<div><br>
</div>
<div>example:</div>
<div><font face="monospace"><br>
</font></div>
<div><font face="monospace">- rule_type: rsync<br>
allow_donwload: true<br>
allow_recursive: true<br>
paths:<br>
- /etc<br>
</font></div>
<div><font face="monospace"> - /srv/freezeray</font></div>
<div><font face="monospace"> path_startswith:</font></div>
<div><font face="monospace"> - /srv/web</font></div>
<div><br>
</div>
<div><a
href="https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules</a><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<br>
On 3/12/22 01:08, Richard Hector via rsync wrote:<br>
> On 12/03/22 18:38, Richard Hector via rsync wrote:<br>
>> And I do my backups (using dirvish) as root, using
a key with a forced <br>
>> command.<br>
> <br>
> FWIW, that forced command is here:<br>
> <br>
> <a
href="https://github.com/rwhector/dirvish-forced-command"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/rwhector/dirvish-forced-command</a><br>
> <br>
> It's rather unpolished and undocumented, but comments
very welcome :-)<br>
> <br>
> I've also had an issue due to some server-side-only
arguments to rsync <br>
> being undocumented, which means I can't validate them,
and basically <br>
> have to accept anything ... I'd love to know why this
is or has to be <br>
> the case :-) I didn't get any particularly useful
answers back in <br>
> January 2019 ...<br>
> <br>
> Cheers,<br>
> Richard<br>
> <br>
<br>
-- <br>
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,<br>
Kevin Korb Phone: (407)
252-6853<br>
Systems Administrator Internet:<br>
FutureQuest, Inc.
<a class="moz-txt-link-abbreviated" href="mailto:Kevin@FutureQuest.net">Kevin@FutureQuest.net</a> (work)<br>
Orlando, Florida <a
href="mailto:kmk@sanitarium.net" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">kmk@sanitarium.net</a>
(personal)<br>
Web page: <a
href="https://sanitarium.net/" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://sanitarium.net/</a><br>
PGP public key available on web site.<br>
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,<br>
<br>
-- <br>
Please use reply-all for most replies to avoid omitting the
mailing list.<br>
To unsubscribe or change options: <a
href="https://lists.samba.org/mailman/listinfo/rsync"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.samba.org/mailman/listinfo/rsync</a><br>
Before posting, read: <a
href="http://www.catb.org/~esr/faqs/smart-questions.html"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://www.catb.org/~esr/faqs/smart-questions.html</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div><span style="font-size:12.8px">Bri Hatch</span><br>
</div>
<div><br>
</div>
<div>"Quite mad, they say. It is good that Zathras does not
mind. He's even grown<br>
to like it. Oh yes."<span style="font-size:12.8px"><br>
</span></div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
<br>
</body>
</html>