restricting rsync over ssh on the server side.

Rob Browning rlb at
Sun Jan 5 17:31:01 EST 2003

I was wondering if it's possible to restrict rsync in various ways on
the server side when it is invoked via ssh.  Two restrictions I had in
mind are disallowing deletes and/or restricting all actions to a
particular subdirectory.  I was hoping to be able to do this without
having to be root (for a chroot) or having to set up special sshd
server instances/chroots.

If there's not already a way to do this, one possibility I had thought
of is a ssh key command= wrapper, so that you could generate an ssh
key like this:

  command="rsync-ssh-wrapper --root=/home/foo/bar --disable-delete",...

and then when invoked rsync-ssh-wrapper would then look at
SSH_ORIGINAL_COMMAND to see the actual incoming request (presuming
there were any relevant options there; are rsync --server invocations
documented anywhere?), and combine that with the wrapper options to
decide how to invoke rsync --server.  Of course this approach presumes
that rsync --server would support suitable arguments.

Is there interest in such a facility?  It seems like something similar
might be useful for sftp and scp as well, but I haven't managed to
think of a way to implement a common solution.  Also, I could imagine
that this solution for rsync might be somewhat difficult to implement
(perhaps complicated by symlinks, etc.), but it's the best thing I've
thought of so far.


Rob Browning
rlb,, and
GPG starting 2002-11-03 = 14DD 432F AE39 534D B592  F9A0 25C8 D377 8C7E 73A4

More information about the rsync mailing list