running rsync daemon as unprivileged
Keld Jørn Simonsen
keld at dkuug.dk
Sat Aug 30 17:51:10 GMT 2008
On Sat, Aug 30, 2008 at 12:58:10PM -0400, Matt McCutchen wrote:
> On Sat, 2008-08-30 at 18:23 +0200, Keld Jørn Simonsen wrote:
> > I run a mirror service where for gentoo I run rsync as a daemon.
> > Currently the daemon runs root to get the 873 port opened.
> > And when transfers then run, they run as nobody.
> > I would like the rsync daemon to connect to 873 (as root)
> > then possibly do a chroot and then run always as something else
> > than root (maybe nobody).
> > It this advisable? Is it possible?
> The only time that the rsync daemon supports chrooting and changing
> uid/gid is each time it accepts a client connection. If you want the
> daemon to listen on port 873 without the master daemon process running
> as root, you could have the daemon listen on an unprivileged port and
> run a port forwarding program (such as ssh) as root to forward
> connections from port 873 to the daemon's port. If you want the master
> process to be chrooted, you'll have to chroot before starting it.
Yes, this is also what I understand is possible now.
Could a feature be added to rsync in daemon mode, where it shifts to a
specific userid, after connecting to port 873 and possibly doing a
More information about the rsync