restricting rsync over ssh

Bennett Todd bet at
Thu May 23 06:02:21 EST 2002

On Wed, May 22, 2002 at 10:01:27PM -0400, Brian D. Hamm wrote:
> The --server --sender options left me a little confused. I understand
> what they stand for but these options are not in the help and they don't
> appear to be variables.

Yes indeed, as I tried to indicate, rsync has a private protocol, based on the
use of undocumented cmdline options, for talking to itself in various

I believe it's pretty near obligatory to presume that such a private protocol
is kept undocumented so as to reserve the right to the rsync developers to
change it without notice in future versions; that's why I cautioned that doing
this sort of restriction puts you in the position of perhaps having to revisit
it when another release comes around, and having to do some guesswork if you
want a wrapper to parse the cmdline to provide restricted flexibility in
permitted invocations.

What say, rsync developers, any chance that the details of this cmdline
invocation --- the one rsync runs over rsh or ssh or whatever to establish
it's connection --- could be formally documented? Combined with such tricks as
the authorized_keys command="..." plus SSH_ORIGINAL_COMMAND this would provide
us a documented way to provide fine-grained restrictions over what is allowed.
I really like doing this; e.g. I've set up backup facilities where the server
that's being backed up can _only_ update its own mirror area, and the history
of previous contents (as well as everything else on the system) are
inaccessible to it.


More information about the rsync mailing list