Write-only option

Dave Dykstra dwd at bell-labs.com
Tue Feb 26 05:10:30 EST 2002 

It seems to me that there must be a more fundamental problem with the
security model of that backup system if users had the ability to read each
other's files.  Even with a "write only" option, they can overwrite each
other's files, right?  What if somebody overwrite a crucial file in
somebody else's area, and that file gets restored from backup?  I think a
better solution would be to ensure that only the root user has any access
to the backup area, probably by using a "secrets file" and a --password-file
that's readable only by root, or better yet use ssh and public/private key
pair.

- Dave Dykstra


On Sat, Feb 23, 2002 at 02:14:57PM +0100, Jurij Smakov wrote:
> Hi!
> 
> I am doing backups from a number of machines to an rsync server. For some
> time I was trying to come up with a solution, which would prevent users
> from peeking at each other's files, which are backed up. Finally, I've
> hacked rsync, introducing a new option "write only" for rsyncd.conf. When
> set to true, this option forbids the transfers from server to the client,
> thus solving my problems. Below is a patch against rsync-2.5.2 which
> implements those changes. Hopefully, somebody else will find it useful. I
> apologize, if that's the wrong list to post such stuff.
> 
> --Cut here----------------------------------------------------------------
> diff -urN rsync-2.5.2.orig/loadparm.c rsync-2.5.2/loadparm.c
> --- rsync-2.5.2.orig/loadparm.c	Sun Dec  2 09:16:15 2001
> +++ rsync-2.5.2/loadparm.c	Sat Feb 23 13:48:12 2002
> @@ -117,6 +117,7 @@
>  	char *comment;
>  	char *lock_file;
>  	BOOL read_only;
> +	BOOL write_only;
>  	BOOL list;
>  	BOOL use_chroot;
>  	BOOL transfer_logging;
> @@ -149,6 +150,7 @@
>  	NULL,    /* comment */
>  	DEFAULT_LOCK_FILE,    /* lock file */
>  	True,    /* read only */
> +	False,   /* write only */
>  	True,    /* list */
>  	True,    /* use chroot */
>  	False,   /* transfer logging */
> @@ -265,6 +267,7 @@
>    {"lock file",        P_STRING,  P_LOCAL,  &sDefault.lock_file,   NULL,   0},
>    {"path",             P_STRING,  P_LOCAL,  &sDefault.path,        NULL,   0},
>    {"read only",        P_BOOL,    P_LOCAL,  &sDefault.read_only,   NULL,   0},
> +  {"write only",       P_BOOL,    P_LOCAL,  &sDefault.write_only,  NULL,   0},
>    {"list",             P_BOOL,    P_LOCAL,  &sDefault.list,        NULL,   0},
>    {"use chroot",       P_BOOL,    P_LOCAL,  &sDefault.use_chroot,  NULL,   0},
>    {"ignore nonreadable",P_BOOL,   P_LOCAL,  &sDefault.ignore_nonreadable,  NULL,   0},
> @@ -342,6 +345,7 @@
>  FN_LOCAL_STRING(lp_path, path)
>  FN_LOCAL_STRING(lp_lock_file, lock_file)
>  FN_LOCAL_BOOL(lp_read_only, read_only)
> +FN_LOCAL_BOOL(lp_write_only, write_only)
>  FN_LOCAL_BOOL(lp_list, list)
>  FN_LOCAL_BOOL(lp_use_chroot, use_chroot)
>  FN_LOCAL_BOOL(lp_transfer_logging, transfer_logging)
> diff -urN rsync-2.5.2.orig/main.c rsync-2.5.2/main.c
> --- rsync-2.5.2.orig/main.c	Fri Jan 25 11:07:41 2002
> +++ rsync-2.5.2/main.c	Sat Feb 23 13:49:38 2002
> @@ -306,10 +306,19 @@
>  	extern int relative_paths;
>  	extern int recurse;
>  	extern int remote_version;
> +	extern int am_daemon;
> +	extern int module_id;
> +	extern int am_sender;
> 
>  	if (verbose > 2)
>  		rprintf(FINFO,"server_sender starting pid=%d\n",(int)getpid());
> 
> +	if (am_daemon && lp_write_only(module_id) && am_sender) {
> +		rprintf(FERROR,"ERROR: module is write only\n");
> +		exit_cleanup(RERR_SYNTAX);
> +		return;
> +	}
> +
>  	if (!relative_paths && !push_dir(dir, 0)) {
>  		rprintf(FERROR,"push_dir %s: %s (3)\n",dir,strerror(errno));
>  		exit_cleanup(RERR_FILESELECT);
> diff -urN rsync-2.5.2.orig/proto.h rsync-2.5.2/proto.h
> --- rsync-2.5.2.orig/proto.h	Sat Jan 26 00:07:33 2002
> +++ rsync-2.5.2/proto.h	Sat Feb 23 13:48:12 2002
> @@ -125,6 +125,7 @@
>  char *lp_path(int );
>  char *lp_lock_file(int );
>  BOOL lp_read_only(int );
> +BOOL lp_write_only(int );
>  BOOL lp_list(int );
>  BOOL lp_use_chroot(int );
>  BOOL lp_transfer_logging(int );
> --Cut here----------------------------------------------------------------
> 
> Best regards,
> 
> Jurij.
> 
> 
> 
> -- 
> To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html

More information about the rsync mailing list