Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach
Nick Cleaton
nick at cleaton.net
Mon Mar 14 09:09:28 UTC 2022
On Sat, 12 Mar 2022 at 08:45, Florian Sager via rsync <rsync at lists.samba.org>
wrote:
> Hi,
>
> I gave up using rrsync some years ago because of
> a) potential security issues with path references that can occur within
> the rsync execution in the call of rrsync
> b) possibly unmatched rsync options (rrsync must be kept up-to-date to
> match new options _and_ some options need to be intentionally removed that
> may be required)
>
> So my solution on this is:
>
> - a login script (with suid bit in my case)
>
> - that creates/starts a docker image that limits path access and maps libs
> / rsync binary to be available in a limited environment, e.g. "alpine"
>
> DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only --rm
> --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro -v
> /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
> $DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE
> $SSH_ORIGINAL_COMMAND 2>/dev/null
>
> If anybody sees security problems with this approach please tell us.
>
I like the approach of using mounts to limit the paths that rsync can
interact with, using docker like this or something else such as
https://github.com/google/nsjail - but I might be a bit worried about
allowing the user to run whatever commands they like, even inside such a
tightly restricted container, if the client is at a much lower level of
trust than the server.
There's no reason that this can't be combined with rrsync or any of the
other methods described in this thread, for a "belt and braces" approach.
My personal favorite (which hasn't been mentioned yet) is to use rsync in
daemon mode over ssh. You set the forced command in the authorized_keys
line to something like "rsync --server --daemon --config
/path/to/rsyncd.conf" and in that config file you define rsyncd modules to
allow read/write or read-only access to various directories. You have to
call it differently in the client though, for example with a "target"
rsyncd module:
rsync -e ssh -a /foo "$server_hostname"::target/foo
... so I don't think this would work with the ansible rsync module without
some hackery like adding a script to act as the local rsync client binary
and having that script transform its arguments and call the real rsync.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20220314/7551a78d/attachment.htm>
More information about the rsync
mailing list