remote logging non-daemon mode
dlochart at gmail.com
Thu Dec 6 04:21:27 GMT 2007
On Dec 5, 2007 9:59 PM, Matt McCutchen <matt at mattmccutchen.net> wrote:
> On Tue, 2007-12-04 at 15:59 -0500, Doug Lochart wrote:
> > Greetings all. Due to security concerns we are switching our backup
> > processes from "SSH tunnel to rsync daemon" to "Running rsync over ssh
> > in --server mode". In daemon mode we had a nice conglomerate log file
> > of all of the backups that ran.
> > Second Question: So now after talking it out is there a way to get a
> > unified server side log for all rsync commands executed without having
> > a daemon running?
> What exactly were the security concerns? You might be better served by
> running a daemon configured in a way that meets your security needs.
This is something we discovered by accident. We used ssh to create a tunnel
using a users ssh key. With this tunnel we were able to access any module
defined in the system.
Each module needs to be protected from the others so if a user logs in with
their credentials they should not have access to any other module. It
would take a user knowing the name of another client to affect the security
breach. I admit I am no whiz at securing the rsync server. Once we had it
setup to run in daemon mode we assumed the ssh tunnels would provide all
that we need. We over looked this one issue however.
On the protocol version error I have discovered the problem I am using a
validation script as part of rthe ssh key to make sure that only rsync is
executed within that shell. The string I was initially testing for was
"rsync --server" and when I added the --log-file to my rsyncpath it changed
the remote command so that it no longer validated. Evidently it took my
response of "Rejected" and tried to convert that to an int for the protocol
Now I am having another issue and that is passing a log format in the
rsync-path. I can see it is coming over but for some reason a defauly
--log-format=%o is appended after --server is added by rsync. This
effectively overrides the log-format I supplied. How do I stop this default
log-format from being appended after --server?
What profits a man if he gains the whole world yet loses his soul?
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the rsync