remote logging non-daemon mode

Matt McCutchen matt at mattmccutchen.net
Tue Dec 11 03:58:57 GMT 2007


Doug, you might have figured some of this out already but I want to make
sure you are fully informed:

On Fri, 2007-12-07 at 14:29 -0500, Doug Lochart wrote:
> I am going to take this approach and mix it with something else I
> thought of but I still have a few questions.  I am playing with am
> rsync_wrapper script that makes sure that only rsync commands are
> executed within the SSH shell.  I adapted the one on the rsync site.
> You mention  "each user's forced command".  When you say this are you
> referring to the client side rsync command OR forcing the issue within
> an rsync_wrapper script? 

I was referring to the command=... value in the ssh authorized keys file
or, equivalently, the command forced in the rsync_wrapper script.

> What I really would like to do is remove some of the stuff on the
> client side and simply embellish the server side rsync command within
> the rsync_wrapper.  I  would also like to point the server to  the
> rsync module for that client . 

Right...

> So basically if this acme across to in SSH_ORIGINAL_COMMAND for user
> foo
> 
>   rsync --log-file=/tmp/rlog --server -vlogDtpr --log-format=%
> o . /data/foo
> 
> I would manipulate the command to do this:
> 
>   rsync --log-file=/tmp/rlog --daemon --server -vlogDtpr
> --config=/home/foo/rsyncd.conf --log-format=%o . /data/foo
> 
> Can this be done OR do you recommend passing the --daemon in the
> --rsync-path option from the client? 

In daemon mode, the options are sent in the data stream instead of on
the command line.  The SSH_ORIGINAL_COMMAND will be simply:

rsync <RSYNC-PATH-STUFF-IF-ANY> --daemon --server .

All your wrapper script has to do is run:

rsync --daemon --server --config=/home/foo/rsyncd.conf .

No --rsync-path option on the client is needed, and the wrapper script
should run the command above as-is regardless of any extra options a
malicious client might put in the SSH_ORIGINAL_COMMAND via --rsync-path.
As you can see, this is much cleaner than a plain-server setup.

Matt



More information about the rsync mailing list