Enhanced authentication and authorization in rsyncd

Amir Rapson amir.rapson at gmail.com
Wed Aug 26 08:52:23 MDT 2009


Hi,

I added a few things to allow the rsync daemon more refined
authorization and authentication than the current implementation.
The attached patch file is against the 3.0.6 version.

Additions:
1. allow the uid and gid used to access a certain module to be
determined by the authenticated user -
    uid = __auth__ will use the auth_user's uid
    gid = __auth__ will use the auth user's main group's gid

2. seteuid and not just setuid

3. added "rw users" to allow read/write access to a module, "ro users"
to allow read only access to a module and "deny users".
    "read only" on the module overrides the user's authorization.

4. added support for groups - with a '@' prefix. For instance: "auth
users = tridge, susan, @rsync_users"

Authorization logic:
1. If the ACL contains a user-specific rule that matches the user,
then the user is granted rights according to this rule (including
denying access if the permission is none).
2. If the ACL contains a group-rule that denies access of a group the
user belongs to (permission=none), then access is denied.
3. If the ACL contains a group-rule that grants read/write access to a
group the user belongs to, then the user gets read/write access
4. If the ACL contains a group-rule that grants read-only access to a
group the user belongs to, then the user gets read-only access
5. The user is authorized access (for backward compatibility with
older rsync versions)

Please consider commiting this patch for future releases of rsync.

Thanks,
Amir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rsync_auth.patch
Type: application/octet-stream
Size: 10455 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/rsync/attachments/20090826/c7cd1d74/attachment.obj>


More information about the rsync mailing list