Limiting remote operations to a particular directory, and not above ?
Matt McCutchen
matt at mattmccutchen.net
Wed Oct 21 21:46:56 MDT 2009
On Wed, 2009-10-21 at 13:40 -0700, George Sanders wrote:
> I am tasked with pointing rsync transfers to valuable, live systems.
>
> The requirements include that this rsync job be run as root (rsync
> over ssh to the destination, as root) and that the --delete option be
> used.
> What would really make me feel better is if I could somehow tell
> rsync:
>
> "don't operate at all below /this/point/in/remote/filesystem" No
> matter what.
An rsync daemon is the right tool to ensure this, without a doubt.
> (I have thought of chrooting a different sshd on the remote, but I'd
> really, really, like to keep the complexity and configuration on the
> sending end and just leave these very simple remote systems alone)
If you don't want to configure the receivers in advance, your script can
invoke a single-use daemon with the configuration data passed on the
command line, like so (bash):
function quote_args {
apos="'"
bs=\\
# Escape existing single quotes.
set -- "${@//$apos/$apos$bs$apos$apos}"
# Wrap each arg in single quotes.
set -- "${@/#/$apos}"
set -- "${@/%/$apos}"
# Join the args with spaces.
echo "$*"
}
CONFIG='
[module]
path = /this/point/in/remote/filesystem
uid = root
gid = root
read only = false
'
rsync -e ssh --rsync-path="rsync --config=<(echo $(quote_args "$CONFIG"))" \
OPTIONS SRC ... rsync://HOST/module
Yes, this is pretty crazy, but it accomplishes what you want.
--
Matt
More information about the rsync
mailing list