[draft PATCH] whitelist support for refuse options

raf rsync at raf.org
Tue Feb 11 01:36:35 UTC 2020

Hi Nick,

Just in case you aren't already aware of it, there is a tool
that limits rsync to particular directories:

  rrsync - Restricts rsync to subdirectory declared in .ssh/authorized_keys

There is also a generic tool (I wrote this one) for limiting
incoming ssh commands to a fixed list of specific actual
commands (with semi-automatic learning of commands based on
observed behaviour during training mode):

  sshdo - controls which commands may be executed via incoming ssh

And another (less easy to use) generic alternative:

  authprogs - SSH Command Authenticator

I don't know if any of the above commands would give you
what you want but they might.

Suggestion: If the above won't do what you need, I'd suggest
different syntax. I don't like a directive that starts with
"refuse options" and then is mostly followed by the options
that are allowed. It's really saying refuse all options except
the following. I think it would be more intuitive if it
looked like:

  allowed options = verbose archive

and the presence of "allowed options" in rsyncd.conf causes
all other options (not present in that or any other "allowed
options" directive) to be disallowed. Just a thought.

A potential problem with your approach I imagine is that it
would apply equally to all local users but different users
might have different use cases. The tools mentioned above
would support handling different users distinctly.


Nick Cleaton via rsync wrote:

> This adds support for whitelisting the acceptable options in the
> "refuse options" setting in rsyncd.conf. It introduces "!" as a
> special option string that refuses most options and interprets
> any following strings as patterns of options to allow.
> For example, to allow only verbose and archive:
>   refuse options = ! verbose archive
> The "!" does't refuse no-iconv, but you can still refuse it and
> use a whitelist if you want:
>   refuse options = no-iconv ! verbose archive
> It's not finished (needs tests and doc) I just wanted to see if
> there'd be any interest in merging something of this shape
> before I put more work into it.
> My use case is setting up a restricted trust relationship by
> allowing host A to ssh to host B with a forced command of
> "rsync --server --daemon --config=/path/to/rsyncd.conf ." and
> configuring the restictions in rsyncd.conf. I know what options
> I want to use, it'd be nice to enforce that on the server side
> without listing every other option in "refuse options".

More information about the rsync mailing list