Enhanced authentication and authorization in rsyncd

Amir Rapson amir.rapson at gmail.com
Sun Aug 30 03:06:21 MDT 2009


A slightly better patch file (removed some warnings).


On Wed, Aug 26, 2009 at 5:52 PM, Amir Rapson<amir.rapson at gmail.com> wrote:
> Hi,
>
> I added a few things to allow the rsync daemon more refined
> authorization and authentication than the current implementation.
> The attached patch file is against the 3.0.6 version.
>
> Additions:
> 1. allow the uid and gid used to access a certain module to be
> determined by the authenticated user -
>     uid = __auth__ will use the auth_user's uid
>     gid = __auth__ will use the auth user's main group's gid
>
> 2. seteuid and not just setuid
>
> 3. added "rw users" to allow read/write access to a module, "ro users"
> to allow read only access to a module and "deny users".
>     "read only" on the module overrides the user's authorization.
>
> 4. added support for groups - with a '@' prefix. For instance: "auth
> users = tridge, susan, @rsync_users"
>
> Authorization logic:
> 1. If the ACL contains a user-specific rule that matches the user,
> then the user is granted rights according to this rule (including
> denying access if the permission is none).
> 2. If the ACL contains a group-rule that denies access of a group the
> user belongs to (permission=none), then access is denied.
> 3. If the ACL contains a group-rule that grants read/write access to a
> group the user belongs to, then the user gets read/write access
> 4. If the ACL contains a group-rule that grants read-only access to a
> group the user belongs to, then the user gets read-only access
> 5. The user is authorized access (for backward compatibility with
> older rsync versions)
>
> Please consider commiting this patch for future releases of rsync.
>
> Thanks,
> Amir
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rsync_auth.patch
Type: application/octet-stream
Size: 10586 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/rsync/attachments/20090830/6d4012fb/attachment.obj>


More information about the rsync mailing list