Security issues when rsyncing directories as root

Kevin Korb kmk at sanitarium.net
Thu Oct 18 15:17:00 UTC 2018


Use rrsync.  It comes with rsync (some silly Linux distros install it as
documentation instead of a helper script so you have to decompress it
and chmod +x it).  It is a perl script with all the documentation in the
comments.

Yes, it can be done with rsyncd as you described.  The rsyncd.conf file
would be in /root.  But rrsync is easier.

On 10/18/2018 10:31 AM, Marc Haber via rsync wrote:
> Hi,
> 
> I am using rsync to keep two directores on two servers in sync. Machine
> A, the "client" is the one where the rsync process is invoked, which
> then logs into Machine B, the "server" as root with ssh and a key. The
> key is restricted in /root/.ssh/authorized_keys to a script that checks
> wither $SSH_ORIGINAL_COMMAND matches the rsync --server command that I
> expect, such as, for example,
> rsync --server -re.iLsfxC --delete . /etc/dhcp/synced/
> 
> Unfortunately, this is rather restrictive and unflexible.
> 
> Things would be easier if rsync would have an option like
> --restrict-write, making rsync not write anywhere outside the path given
> there. That way, my script would be easier an I would only need to check
> server-wise whether the command line being called contains the
> --restrict-write option with the correct directory.
> 
> Would that make sense? Or am I more in the market for an rsync daemon
> with the "path" and "write only" options set? If so, would I need to
> have an rsync daemon _running_ on the remote side if I use the rsync
> --rsh=ssh /path/to/local/dir host::module syntax?
> 
> Greetings
> Marc
> 

-- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			https://sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/rsync/attachments/20181018/aee470cc/signature.sig>


More information about the rsync mailing list