running rsync daemon as unprivileged
Keld Jørn Simonsen
keld at dkuug.dk
Tue Dec 23 19:40:40 GMT 2008
On Sat, Aug 30, 2008 at 07:51:10PM +0200, Keld Jørn Simonsen wrote:
> On Sat, Aug 30, 2008 at 12:58:10PM -0400, Matt McCutchen wrote:
> > On Sat, 2008-08-30 at 18:23 +0200, Keld Jørn Simonsen wrote:
> > > I run a mirror service where for gentoo I run rsync as a daemon.
> > > Currently the daemon runs root to get the 873 port opened.
> > > And when transfers then run, they run as nobody.
> > >
> > > I would like the rsync daemon to connect to 873 (as root)
> > > then possibly do a chroot and then run always as something else
> > > than root (maybe nobody).
> > >
> > > It this advisable? Is it possible?
> >
> > The only time that the rsync daemon supports chrooting and changing
> > uid/gid is each time it accepts a client connection. If you want the
> > daemon to listen on port 873 without the master daemon process running
> > as root, you could have the daemon listen on an unprivileged port and
> > run a port forwarding program (such as ssh) as root to forward
> > connections from port 873 to the daemon's port. If you want the master
> > process to be chrooted, you'll have to chroot before starting it.
>
> Yes, this is also what I understand is possible now.
>
> Could a feature be added to rsync in daemon mode, where it shifts to a
> specific userid, after connecting to port 873 and possibly doing a
> chroot?
Is there something to this? Would this be added if a patch had been
made?
Best regards
keld
More information about the rsync
mailing list