[SCM] The rsync repository. - branch master updated

Rsync CVS commit messages rsync-cvs at lists.samba.org
Thu Jun 11 22:24:42 UTC 2020


The branch, master has been updated
       via  b040825b Improve the haproxy header docs.
       via  3c793ef1 Use /dev/shm instead of requiring /dev/shm/tmp.
      from  cff0764b Add `haproxy header` parameter to rsync daemon

https://git.samba.org/?p=rsync.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b040825b86175aa06173832acef4b46d68630b64
Author: Wayne Davison <wayne at opencoder.net>
Date:   Thu Jun 11 15:16:17 2020 -0700

    Improve the haproxy header docs.

commit 3c793ef15373ad37f3c47d296cc770df70be2abc
Author: Wayne Davison <wayne at opencoder.net>
Date:   Thu Jun 11 14:33:25 2020 -0700

    Use /dev/shm instead of requiring /dev/shm/tmp.

-----------------------------------------------------------------------

Summary of changes:
 .github/workflows/ccpp.yml    |  2 --
 rsyncd.conf.5.md              | 28 +++++++++++++++++-----------
 testsuite/chmod-temp-dir.test |  2 +-
 3 files changed, 18 insertions(+), 14 deletions(-)


Changeset truncated at 500 lines:

diff --git a/.github/workflows/ccpp.yml b/.github/workflows/ccpp.yml
index 6108b889..0ffbde06 100644
--- a/.github/workflows/ccpp.yml
+++ b/.github/workflows/ccpp.yml
@@ -15,8 +15,6 @@ jobs:
     - uses: actions/checkout at v2
     - name: prepare-packages
       run: sudo apt-get install fakeroot acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm
-    - name: add other-filesystem tmp dir
-      run: mkdir -m 1777 /run/shm/tmp
     - name: prepare-source
       run: ./prepare-source
     - name: configure
diff --git a/rsyncd.conf.5.md b/rsyncd.conf.5.md
index f1e335c1..2952e73e 100644
--- a/rsyncd.conf.5.md
+++ b/rsyncd.conf.5.md
@@ -236,17 +236,23 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
 
 0.  `haproxy header`
 
-    This parameter indicates that all incoming connections must start with a V1
-    or V2 haproxy header. If the header is not found, the connection is closed.
-
-    Setting this allows a proxy server to forward the source IP information to
-    rsync, allowing you to make use of IP restrictions that don't all match the
-    source IP of the proxy server.
-
-    _CAUTION_: when using this option you _must_ make sure that only the proxy
-    is allowed to connect to the rsync port via some kind of firewall rules
-    (such as iptables).  If any non-proxied connections are allowed through,
-    the client will be able to spoof any remote IP address that they desire.
+    When this parameter is enabled, all incoming connections must start with a
+    V1 or V2 haproxy header.  If the header is not found, the connection is
+    closed.
+
+    Setting this to `true` requires a proxy server to forward source IP
+    information to rsync, allowing you to log proper IP/host info and make use
+    of client-oriented IP restrictions.  The default of `false` means that the
+    IP information comes directly from the socket's metadata.  If rsync is not
+    behind a proxy, this should be disabled.
+
+    _CAUTION_: using this option can be dangerous if you do not ensure that
+    only the proxy is allowed to connect to the rsync port.  If any non-proxied
+    connections are allowed through, the client will be able to use a modified
+    rsync to spoof any remote IP address that they desire.  You can lock this
+    down using something like iptables `-uid-owner root` rules (for strict
+    localhost access), various firewall rules, or you can require password
+    authorization so that any spoofing by users will not grant extra access.
 
     This setting is global.  If you need some modules to require this and not
     others, then you will need to setup multiple rsync daemon processes on
diff --git a/testsuite/chmod-temp-dir.test b/testsuite/chmod-temp-dir.test
index 085ab008..b9a294ac 100644
--- a/testsuite/chmod-temp-dir.test
+++ b/testsuite/chmod-temp-dir.test
@@ -16,7 +16,7 @@ hands_setup
 sdev=`$TOOLDIR/getfsdev $scratchdir`
 tdev=$sdev
 
-for tmpdir2 in "${RSYNC_TEST_TMP:-/override-tmp-not-specified}" /run/shm/tmp /var/tmp /tmp; do
+for tmpdir2 in "${RSYNC_TEST_TMP:-/override-tmp-not-specified}" /run/shm /var/tmp /tmp; do
     [ -d "$tmpdir2" -a -w "$tmpdir2" ] || continue
     tdev=`$TOOLDIR/getfsdev "$tmpdir2"`
     [ x$sdev != x$tdev ] && break


-- 
The rsync repository.



More information about the rsync-cvs mailing list