Root privilege solution

Tinsley, Scott S. (ManTech) CTR scott.tinsley at deca.mil
Mon Jun 27 17:51:28 GMT 2005 

I want to set up RSYNC so it has root privilege on the remote server. I do not want to run rsync through inetd.
I want to be able to limit who can use rsync when the remote end has root privilege. I prefer not to use rsync's
internal user/secrets file. I do want to use SSH as the transport shell. With that in mind, here is what I tried.
I wrapped the rsync single use daemon execution on the remote end with a script that executes rsync as
root by using the SUDO command. I can then easily control access to root privileged rsync execution through
the sudoers file, an acceptable security configuration at our site. However. rsync seems to be having a problem.
I get this message on the local side.

	@ERROR: invalid uid nobody

I would like to figure out why this fails or if there is a better way to accomplish the same thing.

Here is my wrapper script on the remote side.

	tbcsap01 154 $ cat /var/tmp/rsync.sh
	#!/bin/ksh
	#
	echo "Args $*." > /var/tmp/rsync.op
	pwd             >>  /var/tmp/rsync.op
	env             >>  /var/tmp/rsync.op
	id                      >>  /var/tmp/rsync.op
	/usr/bin/sudo /usr/bin/env >> /var/tmp/rsync.op
	/usr/bin/sudo /usr/bin/id >> /var/tmp/rsync.op
	/usr/bin/sudo /usr/local/bin/rsync --verbose --config=/etc/rsyncd.conf $*

and the config file 

	log file = /var/tmp/rsyncd.log
	pid file = /var/tmp/rsyncd.pid
	lock file = /var/tmp/rsync.lock

	[cluster_files]
	   path = /home/bb/cluster_rsync_test
	   comment = My Very Own Rsync Server
	   read only = false
	        write only = false
	        hosts allow = opsdev.deca.mil
	        max verbosity = 3

Here is the command run on the local side.

	opsdev 290 $ rsync --verbose --progress --stats --rsync-path=/var/tmp/rsync.sh -e ssh tinsless at tbcsap01::cluster_files
	@ERROR: invalid uid nobody
	rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
	rsync error: error in rsync protocol data stream (code 12) at io.c(420)

Here is the o/p from the wrapper script.

	Args --server --daemon ..
	/nfs/home/tinsless
	_=/usr/bin/env
	PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
	LOGNAME=tinsless
	MAIL=/var/mail/tinsless
	USER=tinsless
	SHELL=/usr/bin/ksh
	HOME=/nfs/home/tinsless
	SSH_CLIENT=172.16.208.14 65476 22
	SSH_CONNECTION=172.16.208.14 65476 172.16.208.41 22
	PWD=/nfs/home/tinsless
	TZ=EST5EDT
	uid=320(tinsless) gid=200(sa) groups=4(adm)
	_=/usr/bin/sudo
	PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
	LOGNAME=root
	MAIL=/var/mail/tinsless
	USER=root
	SHELL=/usr/bin/ksh
	HOME=/nfs/home/tinsless
	SSH_CLIENT=172.16.208.14 65476 22
	SSH_CONNECTION=172.16.208.14 65476 172.16.208.41 22
	PWD=/nfs/home/tinsless
	TZ=EST5EDT
	TERM=unknown
	SUDO_COMMAND=/usr/bin/env
	SUDO_USER=tinsless
	SUDO_UID=320
	SUDO_GID=200
	uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)

More information about the rsync mailing list