uid/gid settings in rsyncd.conf not respected?
Harry Mangalam
harry.mangalam at uci.edu
Thu Mar 5 01:01:29 GMT 2009
Hi Matt,
In your patch that you graciously provided me to provide supplementary
groups capability, you didn't say how it was supposed to be
specified. I thought it was working the first time I used it, but I
was mistaken. I forgot to add the supplementary groups option but
it's unclear how it's supposed to work.
It's an rsyncd.conf parameter but what is the format?
Here's how I tried it:
rsyncd.conf
============
#GLOBAL OPTIONS
...
uid = root
gid = root
supplementary groups = TRUE # like this?
...
[MODULE]
...
uid = someuser
gid = somegroup
...
to allow rsync to use the permissions of 'someuser' to read MODULE?
I'm missing something as the above doesn't work.
harry
The header in your path said this:
[PATCH] Add "supplementary groups" daemon parameter to take on the
supplementary groups of the specified "uid" as well as the
specified "gid".
On Saturday 14 February 2009, Matt McCutchen wrote:
> On Thu, 2009-02-12 at 21:23 -0800, Harry Mangalam wrote:
> > I've created a special user to backup a server which has some
> > users who don't want all their files backed up, so I'm trying to
> > address their concerns by using the uid= and gid= lines in
> > rsyncd.conf to have the rsyncd run with 'uid=backuppc' and
> > 'gid=backuppc' privs, set in the global section. Then I add
> > backuppc to the appropriate group in /etc/group as below.
> >
> > In this way, rsync will have read permissions only for those
> > users who have made their files g+rX and who have agreed to have
> > the backuppc user added to their group in /etc/group.
> >
> > ie 'minas' is a user who has his /home/dir set as
> > drwxr-x--- 39 minas minas 4096 2009-02-06 23:01 /home/minas
> >
> > I've tried to have address this by setting his /etc/group line
> > as:
> >
> > minas:x:1000:backuppc
> >
> > expecting that since 'backuppc' is now a member of the 'minas'
> > group, rsync running with 'backuppc' privs can read the files
> > 'minas' user allows the 'minas' group to read. This change
> > allows the 'backuppc' user to read those files from the shell.
> >
> > However, this does not work for the backup (rsyncd refuses to
> > read the files with an entry in /var/log/rsyncd.log:
>
> On Fri, 2009-02-13 at 09:21 -0800, Harry Mangalam wrote:
> > 2009/02/13 09:06:28 [9818] rsync: link_stat "." (in minas)
> > failed: Permission denied (13)
>
> The problem is that the daemon takes on only the specified uid and
> gid, not the supplementary groups of the uid. The attached patch
> (also in wip/supplementary-groups of my repository) adds a daemon
> parameter to take on the supplementary groups. Please test this
> and tell us whether it works for you.
--
Harry Mangalam - Research Computing, NACS, E2148, Engineering Gateway,
UC Irvine 92697 949 824-0084(o), 949 285-4487(c)
---
Good judgment comes from experience;
Experience comes from bad judgment. [F. Brooks.]
More information about the rsync
mailing list