Fwd: Re: need help with an rsync patch

Kevin Korb kmk at sanitarium.net
Sat Aug 17 05:15:36 MDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It can push or pull.  The important part is that it runs as root on
one end and with --fake-super on the other end.

On 08/17/13 00:07, Sherin A wrote:
> On Thursday 15 August 2013 01:25 AM, Kevin Korb wrote: It works if
> you use --fake-super on the side that isn't super.  That is the
> only side that needs it:
> 
> asylum# id kmk uid=12313(kmk) gid=100(users) 
> groups=100(users),10(wheel),16(cron),35(games) asylum# ls -l
> ~kmk/testfile -rw-r----- 1 kmk users 0 Aug 14 15:47
> /home/kmk/testfile asylum# ssh backups at psychosis id 
> uid=12317(backups) gid=12317(backups) groups=12317(backups) asylum#
> rsync -vai --rsync-path="/usr/bin/rsync --fake-super" ~kmk/testfile
> backups at psychosis: sending incremental file list <f+++++++++
> testfile
> 
> sent 84 bytes  received 31 bytes  230.00 bytes/sec total size is 0
> speedup is 0.00 asylum# ssh backups at psychosis ls -l testfile 
> -rw-r----- 1 backups backups 0 Aug 14 15:47 testfile asylum# ssh
> backups at psychosis getfattr testfile # file: testfile 
> user.rsync.%stat
> 
> asylum# ssh backups at psychosis getfattr -n user.rsync.%stat
> testfile # file: testfile user.rsync.%stat="100640 0,0 12313:100"
> 
> asylum# rsync -vai --rsync-path="/usr/bin/rsync --fake-super" 
> backups at psychosis:testfile /tmp/ receiving incremental file list
>>>> f+++++++++ testfile
> sent 30 bytes  received 89 bytes  238.00 bytes/sec total size is 0
> speedup is 0.00 asylum# ls -l /tmp/testfile -rw-r----- 1 kmk users
> 0 Aug 14 15:47 /tmp/testfile
> 
> 
> The file gets stored in the backup as the backups user but with a
> tag saying it is really supposed to be owned by kmk.  When I
> restore it it comes back owned by user kmk.
> 
> On 08/14/13 15:20, Sherin A wrote:
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Wednesday 14 August 2013 11:04 PM, Kevin Korb wrote: The
>>>> point of --fake-super is that when you restore the file with
>>>> --fake-super it will restore with the original ownership.  Of
>>>> course that means that the restore has to be run with super
>>>> privs on the target and --fake-super on the source.
>>>> 
>>>>> This doesn't work on remote stores . It doesn't restore
>>>>> the ownerships.
>>>> 
>>>> 
>>>> 
>>>>> On Wednesday 14 August 2013 11:04 PM, Kevin Korb wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> The point of --fake-super is that when you restore the file
>>>> with --fake-super it will restore with the original
>>>> ownership.  Of course that means that the restore has to be
>>>> run with super privs on the target and --fake-super on the
>>>> source.
>>>> 
>>>> On 08/14/13 13:30, Sherin A wrote:
>>>>>>> On Wednesday 14 August 2013 10:25 PM, Kevin Korb
>>>>>>> wrote:
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>>>> 
>>>>>>>> As has been pointed out to you your problem is not
>>>>>>>> hard links. Your problem is the indiscriminate use of
>>>>>>>> a root operation (a chown) during the restoration
>>>>>>>> process.
>>>>>>>> 
>>>>>>>> You should be solving this by either: A) backing up
>>>>>>>> and restoring the original owner of the files
>>>>>>>> (directly or via --fake-super)
>>>>>>> This won't work ,
>>>>>>> 
>>>>>>> root at source [~]# id dom2inho uid=507(dom2inho) 
>>>>>>> gid=508(dom2inho) groups=508(dom2inho) root at source[~]#
>>>>>>> rsync -avp -e 'ssh ' --fake-super /home/dom2inho 
>>>>>>> backup at 10.0.0.10:/home/backup/ In storage server ,
>>>>>>> [root at dest dom2inho]# id backup uid=505(backup)
>>>>>>> gid=506(backup) groups=506(backup) [root at dest
>>>>>>> dom2inho]# pwd /home/backup/dom2inho [root at dest
>>>>>>> dom2inho]# ll -d /home/backup/dom2inho/shadow
>>>>>>> --w------- 1 backup backup 1344 Aug 13 12:52
>>>>>>> /home/backup/dom2inho/shadow   => not preserving uids
>>>>>>> or gids [root at da dom2inho]#
>>>>>>> 
>>>>>>> If I am doing something wrong please let  me know.
>>>>>>> 
>>>>>>> 
>>>>>>>> B) backing up each user's files and only their
>>>>>>>> files.
>>>>>>> I don't see an option in the rsync man to copy only
>>>>>>> each users files , can  you please point me to  that
>>>>>>> option
>>>>>>> 
>>>>>>> 
>>>>>>> Thanking you for your valuable time and help .
>>>>>>> 
>>>> 
> So, It need to be  a  pull type rsync with unprivileged  user ?. It
> was not a permanent solution always. May be  it is the time to
> present this POC  to  other forums.  There will be a big issue with
> hundreds of servers and applications that use  rsync  and can be
> exploited using the POS.
> 

- -- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iEYEARECAAYFAlIPW1gACgkQVKC1jlbQAQeIxgCeOTp3yaOQmZwPRfqq3/K2Nz92
GLYAniKlMgxpaDih8fUoaeMx/Pxgyhar
=Ou9n
-----END PGP SIGNATURE-----

More information about the rsync mailing list