[SCM] The rsync repository. - branch master updated

Rsync CVS commit messages rsync-cvs at lists.samba.org
Sun Apr 19 21:01:32 UTC 2020 

The branch, master has been updated
       via  2a87d78f Change the rsync-ssl helper script
      from  3ba4db70 Two more spelling fixes and some year updates.

https://git.samba.org/?p=rsync.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2a87d78f693f10fe5ad13af0bb9311bd3714077d
Author: Wayne Davison <wayne at opencoder.net>
Date:   Sun Apr 19 12:08:01 2020 -0700

    Change the rsync-ssl helper script
    
    The new rsh-ssl-rsync helper script (replacing stunnel-rsync) supports
    openssl in addition to stunnel.  The RSYNC_SSL_TYPE environment variable
    can be set to specify which type of connection to use, and the first arg
    to rsync-ssl can be --type=stunnel or --type=openssl to override the env
    var or the default of "stunnel".  The helper script now looks for
    stunnel4 or stunnel on the PATH at runtime instead of having configure
    look for it at compile time.

-----------------------------------------------------------------------

Summary of changes:
 .gitignore               |   1 -
 Makefile.in              |  12 ++---
 configure.ac             |   3 --
 packaging/lsb/rsync.spec |   2 +-
 rsh-ssl-rsync            | 113 +++++++++++++++++++++++++++++++++++++++++++++++
 rsync-ssl.in             |  16 +++++--
 stunnel-rsync.in         |  57 ------------------------
 stunnel-rsyncd.conf.in   |   4 +-
 8 files changed, 132 insertions(+), 76 deletions(-)
 create mode 100755 rsh-ssl-rsync
 delete mode 100755 stunnel-rsync.in


Changeset truncated at 500 lines:

diff --git a/.gitignore b/.gitignore
index f0204bbe..519bd3bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,7 +25,6 @@ aclocal.m4
 /gmon.out
 /rsync
 /rsync-ssl
-/stunnel-rsync
 /stunnel-rsyncd.conf
 /shconfig
 /testdir
diff --git a/Makefile.in b/Makefile.in
index 4d6eadc6..3057dc33 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -63,7 +63,7 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.
 	$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
 @OBJ_RESTORE@
 
-all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@
+all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsyncd.conf @MAKE_MAN@
 
 install: all
 	-${MKDIR_P} ${DESTDIR}${bindir}
@@ -73,10 +73,10 @@ install: all
 	if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
 	if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi
 
-install-ssl-client: rsync-ssl stunnel-rsync
+install-ssl-client: rsync-ssl
 	-${MKDIR_P} ${DESTDIR}${bindir}
 	${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir}
-	${INSTALLCMD} -m 755 stunnel-rsync ${DESTDIR}${bindir}
+	${INSTALLCMD} -m 755 rsh-ssl-rsync ${DESTDIR}${bindir}
 
 install-ssl-daemon: stunnel-rsyncd.conf
 	-${MKDIR_P} ${DESTDIR}/etc/stunnel
@@ -198,10 +198,6 @@ rsync-ssl: $(srcdir)/rsync-ssl.in Makefile
 	sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl
 	@chmod +x rsync-ssl
 
-stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile
-	sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync
-	@chmod +x stunnel-rsync
-
 stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile
 	sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf
 
@@ -239,7 +235,7 @@ cleantests:
 # the source directory.
 distclean: clean
 	rm -f Makefile config.h config.status
-	rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf
+	rm -f rsync-ssl stunnel-rsyncd.conf
 	rm -f lib/dummy popt/dummy zlib/dummy
 	rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status
 	rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy
diff --git a/configure.ac b/configure.ac
index 8e44eca4..55fccd8e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -974,9 +974,6 @@ AC_SUBST(BUILD_POPT)
 AC_SUBST(BUILD_ZLIB)
 AC_SUBST(MAKE_MAN)
 
-AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
-AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
-
 AC_CHECK_FUNCS(_acl __acl _facl __facl)
 #################################################
 # check for ACL support
diff --git a/packaging/lsb/rsync.spec b/packaging/lsb/rsync.spec
index 0e7794c4..f527976e 100644
--- a/packaging/lsb/rsync.spec
+++ b/packaging/lsb/rsync.spec
@@ -84,7 +84,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files ssl-client
 %{_prefix}/bin/rsync-ssl
-%{_prefix}/bin/stunnel-rsync
+%{_prefix}/bin/rsh-ssl-rsync
 
 %files ssl-daemon
 %config(noreplace) /etc/stunnel/rsyncd.conf
diff --git a/rsh-ssl-rsync b/rsh-ssl-rsync
new file mode 100755
index 00000000..15135ef2
--- /dev/null
+++ b/rsh-ssl-rsync
@@ -0,0 +1,113 @@
+#!/bin/bash
+# This must be called as (note the trailing dot):
+#
+#    rsh-ssl-rsync HOSTNAME rsync --server --daemon .
+#
+# ... which is typically done via the rsync-ssl script, which results in something like this:
+#
+#    rsync --rsh=rsh-ssl-rsync -aiv HOSTNAME::module [ARGS]
+#
+# This SSL setup based on the files by:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that an stunnel connection requires at least version 4.x of stunnel.
+
+# The environment can override our defaults using RSYNC_SSL_* variables
+
+if [[ -z "$RSYNC_SSL_TYPE" ]]; then
+    RSYNC_SSL_TYPE=stunnel
+fi
+
+case "$RSYNC_SSL_TYPE" in
+    stunnel)
+	if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+	    IFS_SAVE="$IFS"
+	    IFS=:
+	    for prog in stunnel4 stunnel; do
+		for dir in $PATH; do
+		    [[ -z "$dir" ]] && dir=.
+		    if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
+			RSYNC_SSL_STUNNEL="$dir/$prog"
+			break 2
+		    fi
+		done
+	    done
+	    IFS="$IFS_SAVE"
+	fi
+	if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+	    echo "Failed to find stunnel on your path." 1>&2
+	    echo "Maybe export RSYNC_SSL_STUNNEL=/path or RSYNC_SSL_TYPE=openssl." 1>&2
+	    exit 1
+	fi
+	optsep=' = '
+	;;
+    openssl)
+	optsep=' '
+	;;
+    *)
+	echo "The RSYNC_SSL_TYPE is not set to a known type: $RSYNC_SSL_TYPE" 1>&2
+	exit 1
+	;;
+esac
+
+if [[ -z "$RSYNC_SSL_CERT" ]]; then
+    certopt=""
+else
+    certopt="cert$optsep$RSYNC_SSL_CERT"
+fi
+
+if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
+    # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
+    # openssl:
+    caopt="-verify_return_error -verify 4"
+    # stunnel:
+    cafile=""
+    verify=0
+elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
+    # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
+    # openssl:
+    caopt="-verify 1"
+    # stunnel:
+    cafile=""
+    verify=0
+else
+    # RSYNC_SSL_CA_CERT set - use CA AND verify:
+    # openssl:
+    caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+    # stunnel:
+    cafile="CAfile = $RSYNC_SSL_CA_CERT"
+    verify=3
+fi
+
+port="${RSYNC_PORT:-0}"
+if [[ "$port" == 0 ]]; then
+    port="${RSYNC_SSL_PORT:-874}"
+fi
+
+# If the user specified USER at HOSTNAME::module, then rsync passes us
+# the -l USER option too, so we must be prepared to ignore it.
+if [[ "$1" == "-l" ]]; then
+    shift 2
+fi
+
+hostname="$1"
+shift
+
+if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
+    echo "Usage: rsync-ssl-helper HOSTNAME rsync --server --daemon ." 1>&2
+    exit 1
+fi
+
+if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+    exec openssl s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+else
+    # devzero at web.de came up with this no-tmpfile calling syntax:
+    exec stunnel -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$certopt
+$cafile
+EOF
+fi
diff --git a/rsync-ssl.in b/rsync-ssl.in
index da58d6af..62ab1a57 100755
--- a/rsync-ssl.in
+++ b/rsync-ssl.in
@@ -1,12 +1,20 @@
 #!/bin/bash
-# This script supports using stunnel to secure an rsync daemon connection.
-# Note that this requires at least version 4.x of stunnel.
+# This script supports using stunnel or openssl to secure an rsync daemon connection.
+# The first option can be --type=stunnel or --type=openssl to choose your connection
+# type (overriding any $RSYNC_SSL_TYPE default value).
+
+if [[ "$1" == --type=* ]]; then
+    export RSYNC_SSL_TYPE="${1/--type=/}"
+    shift
+fi
+
 case "$@" in
 *rsync://*) ;;
 *::*) ;;
 *)
-    echo "You must use rsync-ssl with a daemon-style hostname." 0>&1
+    echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
     exit 1
     ;;
 esac
-exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}"
+
+exec @bindir@/rsync --rsh=@bindir@/rsh-ssl-rsync "${@}"
diff --git a/stunnel-rsync.in b/stunnel-rsync.in
deleted file mode 100755
index ca702ae9..00000000
--- a/stunnel-rsync.in
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/bin/bash
-# This must be called as (note the trailing dot):
-#
-#    stunnel-rsync HOSTNAME rsync --server --daemon .
-#
-# ... which is typically done via the rsync-ssl script, which results in something like this:
-#
-#    rsync --rsh=stunnel-rsync -aiv HOSTNAME::module [ARGS]
-#
-# This SSL setup based on the files by:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
-# Note that this requires at least version 4.x of stunnel.
-
-# The current environment can override using the RSYNC_SSL_* values:
-if [ x"$RSYNC_SSL_CERT" = x ]; then
-    cert=""
-else
-    cert="cert = $RSYNC_SSL_CERT"
-fi
-
-if [ x"$RSYNC_SSL_CA_CERT" = x ]; then
-    cafile=""
-    verify=0
-else
-    cafile="CAfile = $RSYNC_SSL_CA_CERT"
-    verify=3
-fi
-
-port="${RSYNC_PORT:-0}"
-if [ "$port" = 0 ]; then
-    port="${RSYNC_SSL_PORT:-874}"
-fi
-
-# If the user specified USER at HOSTNAME::module, then rsync passes us
-# the -l USER option too, so we must be prepared to ignore it.
-if [ x"$1" = x"-l" ]; then
-    shift 2
-fi
-
-hostname=$1
-shift
-
-if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then
-    echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2
-    exit 1
-fi
-
-# devzero at web.de came up with this no-tmpfile calling syntax:
- at stunnel4@ -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
-foreground = yes
-debug = crit
-connect = $hostname:$port
-client = yes
-TIMEOUTclose = 0
-verify = $verify
-$cert
-$cafile
-EOF
diff --git a/stunnel-rsyncd.conf.in b/stunnel-rsyncd.conf.in
index fd28d5d4..b3fd240e 100644
--- a/stunnel-rsyncd.conf.in
+++ b/stunnel-rsyncd.conf.in
@@ -4,7 +4,7 @@ foreground = no
 pid = /var/run/stunnel-rsyncd.pid
 socket = l:TCP_NODELAY=1
 socket = r:TCP_NODELAY=1
-compression = rle
+#compression = rle
 # This must be root for rsync to use chroot -- rsync will drop permissions:
 setuid = root
 setgid = root
@@ -18,7 +18,7 @@ client = no
 
 # To allow anyone to try an ssl connection, use this:
 verify = 0
-CAfile = /etc/ssl/ca-bundle.pem
+CAfile = /etc/ssl/certs/ca-certificates.crt
 
 # To allow only cert-authorized clients, use something like this instead of the above:
 #verify = 3


-- 
The rsync repository.

More information about the rsync-cvs mailing list