Limiting remote operations to a particular directory, and not above ?

[George Sanders]

I am tasked with pointing rsync transfers to valuable, live systems.

The requirements include that this rsync job be run as root (rsync over ssh to the destination, as root) and that the --delete option be used.

The last piece is, the _remote_ destinations are not fixed - they are generated from a database and fed into my rsync script.

So, of course the worry is that one of these destination paths, to be syned to the remote server, will be malformed or broken in some way, and I end up doing a:

rsync --delete

against '/' or god knows what.  I could conceivably blow away the entire remote filesystem with a badly formed input.

-----

So, on my end, I have done extremely robust bounds checking on those input paths.  Really, really over the top - if you saw it you'd laugh.  But the problem is, I still lie awake at night wondering...  did I think of everything ?  What if someone edits the script in a seemingly benign way, but breaks the insanely strict bounds checking ?

What would really make me feel better is if I could somehow tell rsync:

"don't operate at all below /this/point/in/remote/filesystem"  No matter what.

That way, no matter how broken the input was, the worst that could happen is that I would --delete things at /this/point/in/remote/filesystem/somewhere/deeper/or/whatever.

I don't see an option like this.  Does anyone have any pointers ?


(I have thought of chrooting a different sshd on the remote, but I'd really, really, like to keep the complexity and configuration on the sending end and just leave these very simple remote systems alone)