Why is -e sent to the remote rsync side?

henri henri at stmargarets.school.nz
Sat Oct 11 08:24:50 GMT 2008


> Personally, and this is not something that any shell can solve, I
> would love for a way to limit the files that the --server side rsync
> allows access to.

I have an ssh command wrapper script, which I believe (and now just  
hope) limits the access an SSH key provides to a user who uses this  
key to authenticate to a system so they are only able to perform  
restricted rsync operations.

Let me do some further testing with this and I will get back to you  
with the code, once I have looked at it again.

In the meant time if you would like to see the code before I look  
though it and post it to this list, then you are welcome to download  
the latest version of PrinterSetup from the following URL :  
PrinterSetup : http://www.lucidsystems.org/printingworks/printersetup

Once downloaded have a look in the following directories :
	- ExampleFiles/Deployment/PrinterSetup_OSX_SYNC
	- ExampleFiles/Deployment/PrinterSetup_OSX_UPDATE

The idea behind the SYNC and UPDATE systems is that you may have some  
files (in this case printers configuration information) on a server  
and that you may want to restrict read and write access to only this  
information which a particular SSH key will allow. I am about to setup  
a server to start testing the robustness this kind of SSH key  
restriction system, so the timing of your email is great!

If these scripts are not sufficiently locking down the read and write  
access to a particular path then I am interested to help in any way to  
make this kind of restriction possible. If you have a moment, this  
system may solve your issue. However, if you see a flaw in the way it  
works I would be most grateful if you would kindly let me know.

I do think that there must be a better way than using SSH keys to  
restrict access. However, if you are looking for an immediate solution  
then this may be an option, provided it actually works.

Thanks.



On 8/10/2008, at 4:59 AM, Rami Addady wrote:

> Hello Shachar,
>
> You can use rrsync instead:
> http://samba.anu.edu.au/ftp/unpacked/rsync/support/rrsync
>
>
> Regards,
> Rami Addady
> http://www.active.co.il
>
>
>
> Shachar Shemesh wrote:
> > Wayne Davison wrote:
> >> On Sun, Oct 05, 2008 at 06:47:47AM +0200, Shachar Shemesh wrote:
> >>
> >>> The reason this is brought up is because I'm using rssh
> >>> (http://www.pizzashack.org/rssh/) as the user's shell to limit  
> that
> >>> user to only be allowed to run rsync.
> >>>
> >>
> >> I looked at the source, and created a patch to make it just  
> require the
> >> --server option as the first option.
> >>
> >> While I was looking at the code, I noticed that the check_command()
> >> function was busted in that it would accept any abbreviated path  
> of a
> >> command (e.g. "/usr/bin/rs" would match "/usr/bin/rsync").  The  
> author
> >> apparently didn't know that strncmp() stops at a null (unlike  
> memcmp()),
> >> so the length-trimming that is done can just be removed.  My  
> patch fixes
> >> that too.
> >>
> > Last I talked to the rssh maintainer (about a couple of years ago) I
> > was so frustrated with the attitude that I decided to only use rssh
> > until I knock something better together myself. He (used to) care
> > about scp and sftp, and little else. You can send the patch over, if
> > you're feeling lucky. I doubt I'll bother. The only reason I brought
> > the question up was that if I am going to be writing something  
> myself,
> > I would need to know what to make it enforce.
> >
> > Personally, and this is not something that any shell can solve, I
> > would love for a way to limit the files that the --server side rsync
> > allows access to. I can then use a custom shell to pass that command
> > line to rsync to ensure it's enforced.
> >> ..wayne..
> >>
> >
> > Shachar
> --
> Please use reply-all for most replies to avoid omitting the mailing  
> list.
> To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html



More information about the rsync mailing list