Personally, and this is not something that any shell can solve, I
would love for a way to limit the files that the --server side rsync
allows access to.
I have an ssh command wrapper script, which I believe (and now just
hope) limits the access an SSH key provides to a user who uses this
key to authenticate to a system so they are only able to perform
restricted rsync operations.
Let me do some further testing with this and I will get back to you
with the code, once I have looked at it again.
In the meant time if you would like to see the code before I look
though it and post it to this list, then you are welcome to download
the latest version of PrinterSetup from the following URL :
PrinterSetup : http://www.lucidsystems.org/printingworks/printersetup
Once downloaded have a look in the following directories :
- ExampleFiles/Deployment/PrinterSetup_OSX_SYNC
- ExampleFiles/Deployment/PrinterSetup_OSX_UPDATE
The idea behind the SYNC and UPDATE systems is that you may have some
files (in this case printers configuration information) on a server
and that you may want to restrict read and write access to only this
information which a particular SSH key will allow. I am about to setup
a server to start testing the robustness this kind of SSH key
restriction system, so the timing of your email is great!
If these scripts are not sufficiently locking down the read and write
access to a particular path then I am interested to help in any way to
make this kind of restriction possible. If you have a moment, this
system may solve your issue. However, if you see a flaw in the way it
works I would be most grateful if you would kindly let me know.
I do think that there must be a better way than using SSH keys to
restrict access. However, if you are looking for an immediate solution
then this may be an option, provided it actually works.
Thanks.
On 8/10/2008, at 4:59 AM, Rami Addady wrote:
Hello Shachar,
You can use rrsync instead:
http://samba.anu.edu.au/ftp/unpacked/rsync/support/rrsync
Regards,
Rami Addady
http://www.active.co.il
Shachar Shemesh wrote:
> Wayne Davison wrote:
>> On Sun, Oct 05, 2008 at 06:47:47AM +0200, Shachar Shemesh wrote:
>>
>>> The reason this is brought up is because I'm using rssh
>>> (http://www.pizzashack.org/rssh/) as the user's shell to limit
that
>>> user to only be allowed to run rsync.
>>>
>>
>> I looked at the source, and created a patch to make it just
require the
>> --server option as the first option.
>>
>> While I was looking at the code, I noticed that the check_command()
>> function was busted in that it would accept any abbreviated path
of a
>> command (e.g. "/usr/bin/rs" would match "/usr/bin/rsync"). The
author
>> apparently didn't know that strncmp() stops at a null (unlike
memcmp()),
>> so the length-trimming that is done can just be removed. My
patch fixes
>> that too.
>>
> Last I talked to the rssh maintainer (about a couple of years ago) I
> was so frustrated with the attitude that I decided to only use rssh
> until I knock something better together myself. He (used to) care
> about scp and sftp, and little else. You can send the patch over, if
> you're feeling lucky. I doubt I'll bother. The only reason I brought
> the question up was that if I am going to be writing something
myself,
> I would need to know what to make it enforce.
>
> Personally, and this is not something that any shell can solve, I
> would love for a way to limit the files that the --server side rsync
> allows access to. I can then use a custom shell to pass that command
> line to rsync to ensure it's enforced.
>> ..wayne..
>>
>
> Shachar
--
Please use reply-all for most replies to avoid omitting the mailing
list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
