configuration question.

tim.conway at philips.com tim.conway at philips.com
Tue Oct 29 22:54:01 EST 2002 

The only way you could give someone shell access and keep them from using 
rsync would be to find a way to prevent their access to any rsync binary 
through that shell.  Frankly, if they're already in, and can read these 
files as themselves, you gain nothing from preventing their use of a 
single application, as they can 'rsh host cat /etc/passwd', 'rsh host "cd 
/;tar -cf - ." |dd of=everythingonremotehost.tar', 
rlogin to the host and just poke around, whatever.  If this is a problem, 
then SHUT OFF RSH ACCESS.... oh, and if your network is not secure, that 
is, in fact, a problem.
if you don't want people looking at stuff, don't let them have shell 
access. If they can't get access to anything on the system except through 
your rsync daemon (I'm assuming the rsyncd.conf you referenced before is 
in /etc, and you started rsync either by typing 'rsync --daemon' or by 
appropriate setup of inetd), you can use the rsyncd.conf to define exactly 
what they can and cannot access.  If they can rsh, or even telnet, to the 
system, they can already read whatever they want.

Tim Conway 
conway.tim at sphlihp.com reorder name and reverse domain 
303.682.4917 office, 303.921.0301 cell 
Philips Semiconductor - Longmont TC 
1880 Industrial Circle, Suite D 
Longmont, CO 80501 
Available via SameTime Connect within Philips, caesupport2 on AIM 
"There are some who call me.... Tim?" 




"Armin Safarians" <armin.safarians at safeway.com>
10/29/2002 03:23 PM

 
        To:     Tim Conway/LMT/SC/PHILIPS at AMEC
        cc: 
        Subject:        Re: configuration question.
        Classification: 



Thank you for the informatoin. That is exactly what I was looking for.
So what I'm to understand is you can get someone shell access but not 
rsync ability?

AMS :-)

tim.conway at philips.com wrote:

>Your users have rsh access to the machine, and are getting wherever they 
>want, using the server:/path syntax.
>if they were using the server::module syntax, they would be restricted to 

>only what's provided by the modules.  If you don't want them getting 
>everything all over the system, you will need to prevent shell access.
>
>Tim Conway 
>conway.tim at sphlihp.com reorder name and reverse domain 
>303.682.4917 office, 303.921.0301 cell 
>Philips Semiconductor - Longmont TC 
>1880 Industrial Circle, Suite D 
>Longmont, CO 80501 
>Available via SameTime Connect within Philips, caesupport2 on AIM 
>"There are some who call me.... Tim?" 
>
>
>
>
>"Armin Safarians" <armin.safarians at safeway.com>
>Sent by: rsync-admin at lists.samba.org
>10/29/2002 01:11 PM
>
> 
>        To:     rsync at samba.org
>        cc:     (bcc: Tim Conway/LMT/SC/PHILIPS)
>        Subject:        configuration question.
>        Classification: 
>
>
>
>How do you restrict rsync transfers to only modules in the configuration 
>file? 
>It seems like even though I have a module configured, users can transfer 
>files 
>that they had permission to which is not under the directory of the 
>module. 
>
>I.E.
>modulename
>    path=/web
>    ...
>    ...
>    ...
>
>Users can get /etc/passwd from this machine. How do I restrict that.
>
>
>Thanks, 
>AMS 
>
>
> 
>

-- 

Armin M. Safarians               Safeway Inc. 
VOICE: 925.944.4246 
EMAIL:armin.safarians at Safeway.com

********************************************************
We all stand poised on the brink of greatness
********************************************************





"WorldSecure Server <safeway.com>" made the following
 annotations on 10/29/02 15:23:29
------------------------------------------------------------------------------
Warning: 
All e-mail sent to this address will be received by the Safeway corporate 
e-mail system, and is subject to archival and review by someone other than 
the recipient.  This e-mail may contain information proprietary to Safeway 
and is intended only for the use of the intended recipient(s).  If the 
reader of this message is not the intended recipient(s), you are notified 
that you have received this message in error and that any review, 
dissemination, distribution or copying of this message is strictly 
prohibited.  If you have received this message in error, please notify the 
sender immediately. 
 

==============================================================================

More information about the rsync mailing list