[SCM] The rsync repository. - branch master updated

Rsync CVS commit messages rsync-cvs at lists.samba.org
Wed Jun 17 16:32:45 UTC 2020


The branch, master has been updated
       via  d3c7cfad Be a little more explicit with override info.
       via  9ec777fa add a systemd socket unit for rsync
       via  69f445fd update rsync systemd unit, add more security features
      from  643b9d01 Change SIMD back to disabled unless requested.

https://git.samba.org/?p=rsync.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d3c7cfad226f0d1b74247d9b97fb7787a50cf0a4
Author: Wayne Davison <wayne at opencoder.net>
Date:   Wed Jun 17 09:31:48 2020 -0700

    Be a little more explicit with override info.

commit 9ec777faf8ca1572188ef206a5dbcb7bb721781c
Author: Christian Hesse <mail at eworm.de>
Date:   Wed Jun 17 10:17:26 2020 +0200

    add a systemd socket unit for rsync

commit 69f445fd094680a1d5c7f4eabed2b7559ed8dd0f
Author: Christian Hesse <mail at eworm.de>
Date:   Wed Jun 17 10:15:32 2020 +0200

    update rsync systemd unit, add more security features

-----------------------------------------------------------------------

Summary of changes:
 packaging/systemd/rsync.service  | 21 +++++++++++++++++++++
 packaging/systemd/rsync.socket   | 10 ++++++++++
 packaging/systemd/rsync at .service | 28 ++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100644 packaging/systemd/rsync.socket
 create mode 100644 packaging/systemd/rsync at .service


Changeset truncated at 500 lines:

diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service
index f64d2b6b..6d1031fd 100644
--- a/packaging/systemd/rsync.service
+++ b/packaging/systemd/rsync.service
@@ -1,9 +1,30 @@
 [Unit]
 Description=fast remote file copy program daemon
 ConditionPathExists=/etc/rsyncd.conf
+After=network.target
 
 [Service]
 ExecStart=/usr/bin/rsync --daemon --no-detach
+RestartSec=1
+
+# Citing README.md:
+#
+#   [...] Using ssh is recommended for its security features.
+#
+#   Alternatively, rsync can run in `daemon' mode, listening on a socket.
+#   This is generally used for public file distribution, [...]
+#
+# So let's assume some extra security is more than welcome here. We do full
+# system protection (which makes it read-only) and hide users' homes and
+# devices. To override these defaults, it's best to do so in the drop-in
+# directory, often done via `systemctl edit rsync.service`. The file needs
+# just the bare minimum of the right [heading] and override values.
+# See systemd.unit(5) and search for "drop-in" for full details.
+
+ProtectSystem=full
+ProtectHome=on
+PrivateDevices=on
+NoNewPrivileges=on
 
 [Install]
 WantedBy=multi-user.target
diff --git a/packaging/systemd/rsync.socket b/packaging/systemd/rsync.socket
new file mode 100644
index 00000000..5bceefe9
--- /dev/null
+++ b/packaging/systemd/rsync.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=socket for fast remote file copy program daemon
+Conflicts=rsync.service
+
+[Socket]
+ListenStream=873
+Accept=true
+
+[Install]
+WantedBy=sockets.target
diff --git a/packaging/systemd/rsync at .service b/packaging/systemd/rsync at .service
new file mode 100644
index 00000000..e1f48da8
--- /dev/null
+++ b/packaging/systemd/rsync at .service
@@ -0,0 +1,28 @@
+[Unit]
+Description=fast remote file copy program daemon
+After=network.target
+
+[Service]
+ExecStart=-/usr/bin/rsync --daemon
+StandardInput=socket
+StandardOutput=inherit
+StandardError=journal
+
+# Citing README.md:
+#
+#   [...] Using ssh is recommended for its security features.
+#
+#   Alternatively, rsync can run in `daemon' mode, listening on a socket.
+#   This is generally used for public file distribution, [...]
+#
+# So let's assume some extra security is more than welcome here. We do full
+# system protection (which makes it read-only) and hide users' homes and
+# devices. To override these defaults, it's best to do so in the drop-in
+# directory, often done via `systemctl edit rsync at .service`. The file needs
+# just the bare minimum of the right [heading] and override values.
+# See systemd.unit(5) and search for "drop-in" for full details.
+
+ProtectSystem=full
+ProtectHome=on
+PrivateDevices=on
+NoNewPrivileges=on


-- 
The rsync repository.



More information about the rsync-cvs mailing list