The GPFS attribute patch and sandboxing rsync when running in --server mode
Christopher O Cowan
Christopher.O.Cowan at ibm.com
Wed May 19 19:34:00 UTC 2021
So, I'm wondering if you or anyone else knows a way to force rsync into --daemon mode from the server side?
Unless I'm wrong, I probably still need one of the shims I mentioned.
Perhaps I could do the poor man's by writing a wrapper script (or even executable) to basically add the re-exec the command and adding the --daemon option.
Unless there's some way to do this via sshd_config that I am unaware of?
On 4/25/21, 1:38 PM, "Nick Cleaton" <nick at cleaton.net> wrote:
> On Sun, 25 Apr 2021 at 17:53, Chris Cowan via rsync
> <rsync at lists.samba.org> wrote:
> >
> > I've also been looking at several solutions that try to sandbox openssh/rsync. These include rssh (which should not be used anymore, because it's Abandon-ware. But, it is what I am most familiar with), GNU rush, > > and daethnir/authprogs on github. None of these seems to be able to provide me the control, with rsync, when protect-args is used. Unless I'm mistaken, the filtering has to be done by the rsync --server --sender > > process itself, since it's the only thing that has visibility to the filepath passed in the ssh channel.
>
> I like to use rsync in daemon mode over ssh for that type of thing, because:
>
> * you don't need a shim, just make the ssh forced command "rsync
> --server --daemon --config /path/to/some/rsyncd.conf ."
> * the --daemon turns on extra server side security checks
> * you always have --protect-args when in daemon mode
> * you can sandbox the transfer root and other things with settings in
> the rsyncd.conf
>
> Example rsync.conf for allowing reading of /var/lib/{foo,bar} but
> writes to only /var/lib/foo :
>
>
> use chroot = no
>
> [foo]
> path = /var/lib/foo
> read only = no
>
> [bar]
> path = /var/lib/bar
> read only = yes
>
>
> On the client side you use the :: syntax to specify a module in an
> rsync daemon along with "-e ssh" to get daemon mode over ssh, for
> example to write to /var/lib/foo/someplace you could:
>
> rsync -e ssh [OTHER OPTIONS] /tmp/new-foo-things ${hostname}::foo/someplace
More information about the rsync
mailing list