So, I'm wondering if you or anyone else knows a way to force rsync into --daemon mode from the server side? Unless I'm wrong, I probably still need one of the shims I mentioned.
Perhaps I could do the poor man's by writing a wrapper script (or even executable) to basically add the re-exec the command and adding the --daemon option. Unless there's some way to do this via sshd_config that I am unaware of? On 4/25/21, 1:38 PM, "Nick Cleaton" <n...@cleaton.net> wrote: > On Sun, 25 Apr 2021 at 17:53, Chris Cowan via rsync > <rsync@lists.samba.org> wrote: > > > > I've also been looking at several solutions that try to sandbox > openssh/rsync. These include rssh (which should not be used anymore, > because it's Abandon-ware. But, it is what I am most familiar with), GNU > rush, > > and daethnir/authprogs on github. None of these seems to be > able to provide me the control, with rsync, when protect-args is used. > Unless I'm mistaken, the filtering has to be done by the rsync --server > --sender > > process itself, since it's the only thing that has visibility > to the filepath passed in the ssh channel. > > I like to use rsync in daemon mode over ssh for that type of thing, > because: > > * you don't need a shim, just make the ssh forced command "rsync > --server --daemon --config /path/to/some/rsyncd.conf ." > * the --daemon turns on extra server side security checks > * you always have --protect-args when in daemon mode > * you can sandbox the transfer root and other things with settings in > the rsyncd.conf > > Example rsync.conf for allowing reading of /var/lib/{foo,bar} but > writes to only /var/lib/foo : > > > use chroot = no > > [foo] > path = /var/lib/foo > read only = no > > [bar] > path = /var/lib/bar > read only = yes > > > On the client side you use the :: syntax to specify a module in an > rsync daemon along with "-e ssh" to get daemon mode over ssh, for > example to write to /var/lib/foo/someplace you could: > > rsync -e ssh [OTHER OPTIONS] /tmp/new-foo-things ${hostname}::foo/someplace -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html