Re: The GPFS attribute patch and sandboxing rsync when running in --server mode

Wed, 19 May 2021 12:35:34 -0700 

So, I'm wondering if you or anyone else knows a way to force rsync into 
--daemon mode from the server side?   
Unless I'm wrong, I probably still need one of the shims I mentioned.

Perhaps I could do the poor man's by writing a wrapper script (or even 
executable) to basically add the re-exec the command and adding the --daemon 
option.   

Unless there's some way to do this via sshd_config that I am unaware of?


On 4/25/21, 1:38 PM, "Nick Cleaton" <n...@cleaton.net> wrote:

>    On Sun, 25 Apr 2021 at 17:53, Chris Cowan via rsync
>    <rsync@lists.samba.org> wrote:
>    >
>    >  I've also been looking at several solutions that try to sandbox 
> openssh/rsync.    These include rssh (which should not be used anymore,  
> because it's Abandon-ware.  But, it is what I am most familiar with), GNU 
> rush, >    >  and daethnir/authprogs on github.    None of these seems to be 
> able to provide me the control, with rsync, when protect-args is used.  
> Unless I'm mistaken, the filtering has to be done by the rsync --server 
> --sender >   > process itself, since it's the only thing that has visibility 
> to the filepath passed in the ssh channel.
>
>    I like to use rsync in daemon mode over ssh for that type of thing, 
> because:
>
>    * you don't need a shim, just make the ssh forced command "rsync
>    --server --daemon --config /path/to/some/rsyncd.conf ."
>    * the --daemon turns on extra server side security checks
>    * you always have --protect-args when in daemon mode
>    * you can sandbox the transfer root and other things with settings in
>    the rsyncd.conf
>
>    Example rsync.conf for allowing reading of /var/lib/{foo,bar} but
>    writes to only /var/lib/foo :
>
>
>    use chroot = no
>
>    [foo]
>    path = /var/lib/foo
>    read only = no
>
>    [bar]
>    path = /var/lib/bar
>    read only = yes
>
>
>    On the client side you use the :: syntax to specify a module in an
>    rsync daemon along with "-e ssh" to get daemon mode over ssh, for
>    example to write to /var/lib/foo/someplace you could:
>
>    rsync -e ssh [OTHER OPTIONS] /tmp/new-foo-things ${hostname}::foo/someplace

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Reply via email to