[SCM] The rsync repository. - branch master updated
Rsync CVS commit messages
rsync-cvs at lists.samba.org
Sat Jun 15 17:42:16 MDT 2013
The branch, master has been updated
via 70d4a94 Support rsync daemon over SSL via stunnel.
from 0488a14 Fix "make check".
;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 70d4a945f7d1ab1aca2c3ca8535240fad4bdf06b
Author: Wayne Davison <wayned at samba.org>
Date: Sat Jun 15 14:40:52 2013 -0700
Support rsync daemon over SSL via stunnel.
Added the client rsync-ssl script and various client/daemon support
files needed for talking to an rsync daemon over SSL on port 874 (no
tls support). This uses an elegant stunnel setup that was detailed
by dozzie (see the resources page) now that stunnel4 has improved
command-spawning support. Also incorporates some tweaks by devzero
(e.g. the nice no-tmpfile-config client-side code) and a few by me
(including logging of the actual remote IP that came in to the
stunnel process). This probably still needs a little work.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 3 ++
Makefile.in | 36 ++++++++++++++++++++++++++++---
clientname.c | 12 ++++++----
configure.ac | 4 +++
packaging/lsb/rsync.spec | 38 +++++++++++++++++++++++++++------
rsync-ssl.in | 12 ++++++++++
stunnel-rsync.in | 52 ++++++++++++++++++++++++++++++++++++++++++++++
stunnel-rsyncd.conf.in | 30 ++++++++++++++++++++++++++
8 files changed, 171 insertions(+), 16 deletions(-)
create mode 100755 rsync-ssl.in
create mode 100755 stunnel-rsync.in
create mode 100644 stunnel-rsyncd.conf.in
Changeset truncated at 500 lines:
diff --git a/.gitignore b/.gitignore
index 3e3bc5e..948d3f7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,9 @@ config.status
/getgroups
/gmon.out
/rsync
+/rsync-ssl
+/stunnel-rsync
+/stunnel-rsyncd.conf
/shconfig
/testdir
/tests-dont-exist
diff --git a/Makefile.in b/Makefile.in
index dd0618b..2cb50bc 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,6 +4,7 @@
prefix=@prefix@
datarootdir=@datarootdir@
exec_prefix=@exec_prefix@
+stunnel4=@STUNNEL4@
bindir=@bindir@
mandir=@mandir@
@@ -18,6 +19,7 @@ INSTALLCMD=@INSTALL@
INSTALLMAN=@INSTALL@
srcdir=@srcdir@
+MKDIR_P=@MKDIR_P@
VPATH=$(srcdir)
SHELL=/bin/sh
@@ -60,16 +62,30 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.
$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
@OBJ_RESTORE@
-all: Makefile rsync$(EXEEXT) @MAKE_MAN@
+all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@
install: all
- -mkdir -p ${DESTDIR}${bindir}
+ -${MKDIR_P} ${DESTDIR}${bindir}
${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync$(EXEEXT) ${DESTDIR}${bindir}
- -mkdir -p ${DESTDIR}${mandir}/man1
- -mkdir -p ${DESTDIR}${mandir}/man5
+ -${MKDIR_P} ${DESTDIR}${mandir}/man1
+ -${MKDIR_P} ${DESTDIR}${mandir}/man5
if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi
+install-ssl-client: rsync-ssl stunnel-rsync
+ -${MKDIR_P} ${DESTDIR}${bindir}
+ ${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync-ssl ${DESTDIR}${bindir}
+ ${INSTALLCMD} ${INSTALL_STRIP} -m 755 stunnel-rsync ${DESTDIR}${bindir}
+
+install-ssl-daemon: stunnel-rsyncd.conf
+ -${MKDIR_P} ${DESTDIR}/etc/stunnel
+ ${INSTALLCMD} ${INSTALL_STRIP} -m 644 stunnel-rsyncd.conf ${DESTDIR}/etc/stunnel/rsyncd.conf
+ @if ! ls /etc/rsync-ssl/certs/server.* >/dev/null 2>/dev/null; then \
+ echo "Note that you'll need to install the certificate used by /etc/stunnel/rsyncd.conf"; \
+ fi
+
+install-all: install install-ssl-client install-ssl-daemon
+
install-strip:
$(MAKE) INSTALL_STRIP='-s' install
@@ -173,6 +189,17 @@ Makefile: Makefile.in config.status configure.sh config.h.in
fi \
fi
+rsync-ssl: $(srcdir)/rsync-ssl.in Makefile
+ sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl
+ @chmod +x rsync-ssl
+
+stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile
+ sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync
+ @chmod +x stunnel-rsync
+
+stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile
+ sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf
+
proto: proto.h-tstamp
proto.h: proto.h-tstamp
@@ -207,6 +234,7 @@ cleantests:
# the source directory.
distclean: clean
rm -f Makefile config.h config.status
+ rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf
rm -f lib/dummy popt/dummy zlib/dummy
rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status
rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy
diff --git a/clientname.c b/clientname.c
index 8f8460d..d085fc7 100644
--- a/clientname.c
+++ b/clientname.c
@@ -41,7 +41,6 @@ char *client_addr(int fd)
static int initialised;
struct sockaddr_storage ss;
socklen_t length = sizeof ss;
- char *ssh_info, *p;
if (initialised)
return addr_buf;
@@ -49,11 +48,14 @@ char *client_addr(int fd)
initialised = 1;
if (am_server) { /* daemon over --rsh mode */
+ char *env_str;
strlcpy(addr_buf, "0.0.0.0", sizeof addr_buf);
- if ((ssh_info = getenv("SSH_CONNECTION")) != NULL
- || (ssh_info = getenv("SSH_CLIENT")) != NULL
- || (ssh_info = getenv("SSH2_CLIENT")) != NULL) {
- strlcpy(addr_buf, ssh_info, sizeof addr_buf);
+ if ((env_str = getenv("SSH_CONNECTION")) != NULL
+ || (env_str = getenv("SSH_CLIENT")) != NULL
+ || (env_str = getenv("SSH2_CLIENT")) != NULL
+ || (env_str = getenv("REMOTE_HOST")) != NULL) {
+ char *p;
+ strlcpy(addr_buf, env_str, sizeof addr_buf);
/* Truncate the value to just the IP address. */
if ((p = strchr(addr_buf, ' ')) != NULL)
*p = '\0';
diff --git a/configure.ac b/configure.ac
index 9c7b411..5c66d62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,6 +39,7 @@ AC_PROG_CC
AC_PROG_CPP
AC_PROG_EGREP
AC_PROG_INSTALL
+AC_PROG_MKDIR_P
AC_PROG_CC_STDC
AC_SUBST(SHELL)
@@ -954,6 +955,9 @@ AC_SUBST(BUILD_POPT)
AC_SUBST(BUILD_ZLIB)
AC_SUBST(MAKE_MAN)
+AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
+AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
+
AC_CHECK_FUNCS(_acl __acl _facl __facl)
#################################################
# check for ACL support
diff --git a/packaging/lsb/rsync.spec b/packaging/lsb/rsync.spec
index 234666b..1c04560 100644
--- a/packaging/lsb/rsync.spec
+++ b/packaging/lsb/rsync.spec
@@ -1,6 +1,6 @@
Summary: A fast, versatile, remote (and local) file-copying tool
Name: rsync
-Version: 3.0.3
+Version: 3.1.0
%define fullversion %{version}
Release: 1
%define srcdir src
@@ -13,6 +13,14 @@ Prefix: %{_prefix}
BuildRoot: /var/tmp/%{name}-root
License: GPL
+%package ssl-client
+Summary: Provides rsync-ssl
+Requires: stunnel >= 4
+
+%package ssl-daemon
+Summary: An stunnel config file to support ssl rsync daemon connections.
+Requires: stunnel >= 4
+
%description
Rsync is a fast and extraordinarily versatile file copying tool. It can
copy locally, to/from another host over any remote shell, or to/from a
@@ -24,12 +32,22 @@ differences between the source files and the existing files in the
destination. Rsync is widely used for backups and mirroring and as an
improved copy command for everyday use.
+%description ssl-client
+Provides the rsync-ssl script that makes use of stunnel 4 to open an ssl
+connection to an rsync daemon (on port 874). This setup does NOT require
+any local stunnel daemon to be running to connect to the remote ssl rsyncd.
+
+%description ssl-daemon
+Provides a config file for stunnel that will (if you start your stunnel
+service) cause stunnel to listen for ssl rsync-daemon connections and run
+"rsync --daemon" to handle them.
+
%prep
# Choose one -- setup source only, or setup source + rsync-patches:
%setup -q -n rsync-%{fullversion}
#%setup -q -b1 -n rsync-%{fullversion}
-# If you you used "%setup -q -b1", choose the patches you wish to apply:
+# If you you used "%setup -q -b1 ...", choose the patches you wish to apply:
#patch -p1 <patches/acls.diff
#patch -p1 <patches/xattrs.diff
#patch -p1 <patches/remote-option.diff
@@ -47,13 +65,11 @@ make
%install
rm -rf $RPM_BUILD_ROOT
-%makeinstall
+make install install-ssl-client install-ssl-daemon
-mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d
+mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d $RPM_BUILD_ROOT/etc/rsync-ssl/certs
install -m 644 packaging/lsb/rsync.xinetd $RPM_BUILD_ROOT/etc/xinetd.d/rsync
-#install -p -m 755 support/rsyncdb $RPM_BUILD_ROOT/usr/bin/rsyncdb
-
%clean
rm -rf $RPM_BUILD_ROOT
@@ -61,10 +77,18 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root)
%doc COPYING NEWS OLDNEWS README support/ tech_report.tex
%config(noreplace) /etc/xinetd.d/rsync
-%{_prefix}/bin/rsync*
+%{_prefix}/bin/rsync
%{_mandir}/man1/rsync.1*
%{_mandir}/man5/rsyncd.conf.5*
+%files ssl-client
+%{_prefix}/bin/rsync-ssl
+%{_prefix}/bin/stunnel-rsync
+
+%files ssl-daemon
+%config(noreplace) /etc/stunnel/rsyncd.conf
+%dir /etc/rsync-ssl/certs
+
%changelog
* Sun Jun 29 2008 Wayne Davison <wayned at samba.org>
Released 3.0.3.
diff --git a/rsync-ssl.in b/rsync-ssl.in
new file mode 100755
index 0000000..da58d6a
--- /dev/null
+++ b/rsync-ssl.in
@@ -0,0 +1,12 @@
+#!/bin/bash
+# This script supports using stunnel to secure an rsync daemon connection.
+# Note that this requires at least version 4.x of stunnel.
+case "$@" in
+*rsync://*) ;;
+*::*) ;;
+*)
+ echo "You must use rsync-ssl with a daemon-style hostname." 0>&1
+ exit 1
+ ;;
+esac
+exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}"
diff --git a/stunnel-rsync.in b/stunnel-rsync.in
new file mode 100755
index 0000000..f206b93
--- /dev/null
+++ b/stunnel-rsync.in
@@ -0,0 +1,52 @@
+#!/bin/bash
+# This must be called as:
+#
+# stunnel-rsync HOSTNAME rsync --server --daemon .
+#
+# ... which is typically done via the rsync-ssl script, which results in something like this:
+#
+# rsync --rsh=stunnel-rsync -aiv HOSTNAME::module ...
+#
+# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that this requires at least version 4.x of stunnel.
+
+# The current environment can override using the RSYNC_SSL_* values:
+if [ x"$RSYNC_SSL_CERT" = x ]; then
+ cert=""
+else
+ cert="cert = $RSYNC_SSL_CERT"
+fi
+if [ x"$RSYNC_SSL_CA_CERT" ]; then
+ cafile=""
+ verify=0
+else
+ cafile="CAfile = $RSYNC_SSL_CA_CERT"
+ verify=3
+fi
+port=${RSYNC_SSL_PORT:-874}
+
+# If the user specified USER at HOSTNAME::module, then rsync passes us
+# the -l USER option too, so we must be prepared to ignore it.
+if [ x"$1" = x"-l" ]; then
+ shift 2
+fi
+
+hostname=$1
+shift
+
+if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then
+ echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2
+ exit 1
+fi
+
+# devzero at web.de came up with this no-tmpfile calling syntax:
+ at stunnel4@ -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$cert
+$cafile
+EOF
diff --git a/stunnel-rsyncd.conf.in b/stunnel-rsyncd.conf.in
new file mode 100644
index 0000000..202c9ed
--- /dev/null
+++ b/stunnel-rsyncd.conf.in
@@ -0,0 +1,30 @@
+# This config for stunnel will start up rsync for an incoming ssl connection.
+foreground = no
+#output = /var/log/stunnel-rsyncd.log
+pid = /var/run/stunnel-rsyncd.pid
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+compression = rle
+# This must be root for rsync to use chroot -- rsync will drop permissions:
+setuid = root
+setgid = root
+
+[rsync]
+accept = 874
+# You can set the cert to a combo *.pem file and omit the key, if you like.
+cert = /etc/rsync-ssl/certs/server.crt
+key = /etc/rsync-ssl/certs/server.key
+client = no
+
+# To allow anyone to try an ssl connection, use this:
+verify = 0
+CAfile = /etc/ssl/ca-bundle.pem
+
+# To allow only cert-authorized clients, use something like this instead of the above:
+#verify = 3
+#CAfile = /etc/rsync-ssl/certs/allowed-clients.cert.pem
+
+exec = @bindir@/rsync
+# You can either share the same config as a normal daemon, or specify a separate config:
+execargs = rsync --server --daemon
+#execargs = rsync --server --daemon --config=/etc/rsync-ssl/rsyncd.conf
--
The rsync repository.
More information about the rsync-cvs
mailing list