remote logging non-daemon mode
Matt McCutchen
matt at mattmccutchen.net
Tue Dec 11 03:58:57 GMT 2007
Doug, you might have figured some of this out already but I want to make
sure you are fully informed:
On Fri, 2007-12-07 at 14:29 -0500, Doug Lochart wrote:
> I am going to take this approach and mix it with something else I
> thought of but I still have a few questions. I am playing with am
> rsync_wrapper script that makes sure that only rsync commands are
> executed within the SSH shell. I adapted the one on the rsync site.
> You mention "each user's forced command". When you say this are you
> referring to the client side rsync command OR forcing the issue within
> an rsync_wrapper script?
I was referring to the command=... value in the ssh authorized keys file
or, equivalently, the command forced in the rsync_wrapper script.
> What I really would like to do is remove some of the stuff on the
> client side and simply embellish the server side rsync command within
> the rsync_wrapper. I would also like to point the server to the
> rsync module for that client .
Right...
> So basically if this acme across to in SSH_ORIGINAL_COMMAND for user
> foo
>
> rsync --log-file=/tmp/rlog --server -vlogDtpr --log-format=%
> o . /data/foo
>
> I would manipulate the command to do this:
>
> rsync --log-file=/tmp/rlog --daemon --server -vlogDtpr
> --config=/home/foo/rsyncd.conf --log-format=%o . /data/foo
>
> Can this be done OR do you recommend passing the --daemon in the
> --rsync-path option from the client?
In daemon mode, the options are sent in the data stream instead of on
the command line. The SSH_ORIGINAL_COMMAND will be simply:
rsync <RSYNC-PATH-STUFF-IF-ANY> --daemon --server .
All your wrapper script has to do is run:
rsync --daemon --server --config=/home/foo/rsyncd.conf .
No --rsync-path option on the client is needed, and the wrapper script
should run the command above as-is regardless of any extra options a
malicious client might put in the SSH_ORIGINAL_COMMAND via --rsync-path.
As you can see, this is much cleaner than a plain-server setup.
Matt
More information about the rsync
mailing list