Security issues when rsyncing directories as root
kmk at sanitarium.net
Thu Oct 18 15:17:00 UTC 2018
Use rrsync. It comes with rsync (some silly Linux distros install it as
documentation instead of a helper script so you have to decompress it
and chmod +x it). It is a perl script with all the documentation in the
Yes, it can be done with rsyncd as you described. The rsyncd.conf file
would be in /root. But rrsync is easier.
On 10/18/2018 10:31 AM, Marc Haber via rsync wrote:
> I am using rsync to keep two directores on two servers in sync. Machine
> A, the "client" is the one where the rsync process is invoked, which
> then logs into Machine B, the "server" as root with ssh and a key. The
> key is restricted in /root/.ssh/authorized_keys to a script that checks
> wither $SSH_ORIGINAL_COMMAND matches the rsync --server command that I
> expect, such as, for example,
> rsync --server -re.iLsfxC --delete . /etc/dhcp/synced/
> Unfortunately, this is rather restrictive and unflexible.
> Things would be easier if rsync would have an option like
> --restrict-write, making rsync not write anywhere outside the path given
> there. That way, my script would be easier an I would only need to check
> server-wise whether the command line being called contains the
> --restrict-write option with the correct directory.
> Would that make sense? Or am I more in the market for an rsync daemon
> with the "path" and "write only" options set? If so, would I need to
> have an rsync daemon _running_ on the remote side if I use the rsync
> --rsh=ssh /path/to/local/dir host::module syntax?
Kevin Korb Phone: (407) 252-6853
Systems Administrator Internet:
FutureQuest, Inc. Kevin at FutureQuest.net (work)
Orlando, Florida kmk at sanitarium.net (personal)
Web page: https://sanitarium.net/
PGP public key available on web site.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: OpenPGP digital signature
More information about the rsync