[SCM] The rsync repository. - branch master updated
Rsync CVS commit messages
rsync-cvs at lists.samba.org
Wed Jul 1 19:11:12 UTC 2020
The branch, master has been updated
via 544b3d8b A few more systemd tweaks.
from ce12142c Don't set systemd ProtectHome=on by default.
https://git.samba.org/?p=rsync.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 544b3d8b3b07279ba53ce4dcff656a7fc70156b8
Author: Wayne Davison <wayne at opencoder.net>
Date: Wed Jul 1 11:36:00 2020 -0700
A few more systemd tweaks.
-----------------------------------------------------------------------
Summary of changes:
NEWS.md | 19 +++++++++++--------
packaging/systemd/rsync.service | 4 ++--
packaging/systemd/rsync at .service | 4 ++--
3 files changed, 15 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/NEWS.md b/NEWS.md
index e30d9903..14284729 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -40,9 +40,10 @@ Protocol: 31 (unchanged)
variable.
- The default systemd config was changed to remove the `ProtectHome=on`
- setting since rsync is often used to serve files in /home and this seemed a
- bit too strict. Feel free to use `systemctl edit rsync` to add that
- restriction to your own setup, if you like.
+ setting since rsync is often used to serve files in /home and /root and this
+ seemed a bit too strict. Feel free to use `systemctl edit rsync` to add
+ that restriction (or maybe `ProtectHome=read-only`), if you like. See the
+ 3.2.0 NEWS for the other restrictions that were added compared to 3.1.3.
- The memory allocation functions now automatically check for a failure and
die when out of memory. This eliminated some caller-side check-and-die
@@ -103,11 +104,6 @@ Protocol: 31 (unchanged)
### ENHANCEMENTS:
- - The default systemd config was made a bit stricter by default. For
- instance, `ProtectHome=on` was added. You can override this using the
- standard `systemctl edit rsync` and add a line to turn that off under a
- `[Service]` heading.
-
- The use of `--backup-dir=STR` now implies `--backup`.
- Added `--zl=NUM` as a short-hand for `--compress-level=NUM`.
@@ -201,6 +197,13 @@ Protocol: 31 (unchanged)
### ENHANCEMENTS:
+ - The default systemd config was made stricter by default. For instance,
+ `ProtectHome=on` (which hides content in /root and /home/USER dirs),
+ `ProtectSystem=full` (which makes /usr, /boot, & /etc dirs read-only), and
+ `PrivateDevices=on` (which hides devices). You can override any of these
+ using the standard `systemctl edit rsync` and add one or more directives
+ under a `[Service]` heading (and restart the rsync service).
+
- Various checksum enhancements, including the optional use of openssl's MD4 &
MD5 checksum algorithms, some x86-64 optimizations for the rolling checksum,
some x86-64 optimizations for the (non-openssl) MD5 checksum, the addition
diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service
index 5955db9e..8a0b5820 100644
--- a/packaging/systemd/rsync.service
+++ b/packaging/systemd/rsync.service
@@ -16,14 +16,14 @@ RestartSec=1
# This is generally used for public file distribution, [...]
#
# So let's assume some extra security is more than welcome here. We do full
-# system protection (which makes it read-only) and hide users' homes and
+# system protection (which makes /usr, /boot, & /etc read-only) and hide
# devices. To override these defaults, it's best to do so in the drop-in
# directory, often done via `systemctl edit rsync.service`. The file needs
# just the bare minimum of the right [heading] and override values.
# See systemd.unit(5) and search for "drop-in" for full details.
ProtectSystem=full
-#ProtectHome=on
+#ProtectHome=on|off|read-only
PrivateDevices=on
NoNewPrivileges=on
diff --git a/packaging/systemd/rsync at .service b/packaging/systemd/rsync at .service
index 3168cb61..63ba0c7c 100644
--- a/packaging/systemd/rsync at .service
+++ b/packaging/systemd/rsync at .service
@@ -16,13 +16,13 @@ StandardError=journal
# This is generally used for public file distribution, [...]
#
# So let's assume some extra security is more than welcome here. We do full
-# system protection (which makes it read-only) and hide users' homes and
+# system protection (which makes /usr, /boot, & /etc read-only) and hide
# devices. To override these defaults, it's best to do so in the drop-in
# directory, often done via `systemctl edit rsync at .service`. The file needs
# just the bare minimum of the right [heading] and override values.
# See systemd.unit(5) and search for "drop-in" for full details.
ProtectSystem=full
-#ProtectHome=on
+#ProtectHome=on|off|read-only
PrivateDevices=on
NoNewPrivileges=on
--
The rsync repository.
More information about the rsync-cvs
mailing list