restricting rsync over ssh on the server side.
Bennett Todd
bet at rahul.net
Tue Jan 7 19:37:00 EST 2003
This has been discussed before.
The only way to restrict what rsync-over-ssh can do is to lodge the
restriction in the authorized_keys command= field, restricting what
command a given key can run.
For a single rsync invocation it's easy to figure out: just set up
command=/path/to/wrapper
where wrapper looks something like
#!/bin/sh
echo "$SSH_ORIGINAL_COMMAND" >>/tmp/foo
exec $SSH_ORIGINAL_COMMAND
Then run the rsync invocation, see what shows up in /tmp/foo, and
place that exact commandline into the command=, replacing the
wrapper invocation.
If you want to permit a certain range of rsync commands, try out a
representative sample of them with the wrapper, see what shows up in
/tmp/foo, then try and craft a custom wrapper that will allow only
that range of rsync commands.
You're absolutely right, it would be nice if there were
documentation for a sufficient fraction of the rsync --server
commandline to allow crafting such a wrapper from docs rather than
from trial-and-error, but when we last asked for this on this list,
the developers refused, stating that that command is undocumented
because they reserve the right to change it incompatibly in a future
rsync release.
-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/rsync/attachments/20030107/178c257b/attachment.bin
More information about the rsync
mailing list