Enhanced authentication and authorization in rsyncd
Amir Rapson
amir.rapson at gmail.com
Wed Aug 26 08:52:23 MDT 2009
Hi,
I added a few things to allow the rsync daemon more refined
authorization and authentication than the current implementation.
The attached patch file is against the 3.0.6 version.
Additions:
1. allow the uid and gid used to access a certain module to be
determined by the authenticated user -
uid = __auth__ will use the auth_user's uid
gid = __auth__ will use the auth user's main group's gid
2. seteuid and not just setuid
3. added "rw users" to allow read/write access to a module, "ro users"
to allow read only access to a module and "deny users".
"read only" on the module overrides the user's authorization.
4. added support for groups - with a '@' prefix. For instance: "auth
users = tridge, susan, @rsync_users"
Authorization logic:
1. If the ACL contains a user-specific rule that matches the user,
then the user is granted rights according to this rule (including
denying access if the permission is none).
2. If the ACL contains a group-rule that denies access of a group the
user belongs to (permission=none), then access is denied.
3. If the ACL contains a group-rule that grants read/write access to a
group the user belongs to, then the user gets read/write access
4. If the ACL contains a group-rule that grants read-only access to a
group the user belongs to, then the user gets read-only access
5. The user is authorized access (for backward compatibility with
older rsync versions)
Please consider commiting this patch for future releases of rsync.
Thanks,
Amir
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rsync_auth.patch
Type: application/octet-stream
Size: 10455 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/rsync/attachments/20090826/c7cd1d74/attachment.obj>
More information about the rsync
mailing list