restricting rsync over ssh on the server side.

Bennett Todd bet at
Tue Jan 7 19:37:00 EST 2003

This has been discussed before.

The only way to restrict what rsync-over-ssh can do is to lodge the
restriction in the authorized_keys command= field, restricting what
command a given key can run.

For a single rsync invocation it's easy to figure out: just set up


where wrapper looks something like

	echo "$SSH_ORIGINAL_COMMAND" >>/tmp/foo

Then run the rsync invocation, see what shows up in /tmp/foo, and
place that exact commandline into the command=, replacing the
wrapper invocation.

If you want to permit a certain range of rsync commands, try out a
representative sample of them with the wrapper, see what shows up in
/tmp/foo, then try and craft a custom wrapper that will allow only
that range of rsync commands.

You're absolutely right, it would be nice if there were
documentation for a sufficient fraction of the rsync --server
commandline to allow crafting such a wrapper from docs rather than
from trial-and-error, but when we last asked for this on this list,
the developers refused, stating that that command is undocumented
because they reserve the right to change it incompatibly in a future
rsync release.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the rsync mailing list