On Tuesday 28 December 2004 17:12, Dmitry V. Levin wrote:
> > I was thinking to the folowing solution, but i don't know if it is
> > secure enough :
> > Create a dummy-shell sor ssh login that only allow the rsync --server
> > --sender command. Then i get the path of the wanted files, and i appene
On 28-12-2004 at 19:12, Dmitry V. Levin wrote:
>Use chroot(2) to get more robust solution.
>See also ftp://ftp.altlinux.org/pub/people/ldv/rshell/
You may want to have a look at this shell:
http://foosh.sourceforge.net/
I use it and it's nice for rsync (I can't do chroot).
- Alessandro
On Tue, Dec 28, 2004 at 05:24:27PM +0100, Bob wrote:
> I would like to avoid using chroot because it implies my dummy-shell
> must run in suid root. Furthermore, it forces to create a jail with the
> binaries and libraries inside. I was thinking to this solution to avoid
> doing this.
Is there
I would like to avoid using chroot because it implies my dummy-shell
must run in suid root. Furthermore, it forces to create a jail with the
binaries and libraries inside. I was thinking to this solution to avoid
doing this. Do you think there are some security issues using realpath
instead of
Hi,
On Tue, Dec 28, 2004 at 04:53:45PM +0100, Bob wrote:
> I have very special needs and i wanted to use rsync over ssh. I don't
> know if a solution already exists for what i want to do. I want to
> provide rsync over ssh to my users. Howevern i want to have the
> following limitations :
> 1.
Hi
I have very special needs and i wanted to use rsync over ssh. I don't
know if a solution already exists for what i want to do. I want to
provide rsync over ssh to my users. Howevern i want to have the
following limitations :
1. No shell access
2. Limitting users to their home directories
I w
In the development version of rsync now in CVS, ssh and daemon mode can
be used together by using '-e ssh' along with '::'. That is probably
just what Rob needs, please check it out/test it. The documentation has
been updated to describe putting a ssh wrapper key to to restrict rsync
operations t
This has been discussed before.
The only way to restrict what rsync-over-ssh can do is to lodge the
restriction in the authorized_keys command= field, restricting what
command a given key can run.
For a single rsync invocation it's easy to figure out: just set up
command=/path/to/wrapper
jw schultz <[EMAIL PROTECTED]> writes:
> For the most part there shouldn't be much of a problem. What you
> are talking about doing is erroring out if the path(s) are out of
> bounds, and either adding/removing options or erroring if they are
> missing/present.
>
> You could just take the SSH_ORI
On Sun, Jan 05, 2003 at 07:50:57PM -0600, Rob Browning wrote:
> jw schultz <[EMAIL PROTECTED]> writes:
>
> > I'm just wondering what you are suggesting be added to rsync
> > that couldn't be done by the wrapper you already need.
> >
> > You can already restrict --delete and check the paths rsync
>
jw schultz <[EMAIL PROTECTED]> writes:
> I'm just wondering what you are suggesting be added to rsync
> that couldn't be done by the wrapper you already need.
>
> You can already restrict --delete and check the paths rsync
> will operate on to ensure they are within the designated
> trees. As it
On Sun, Jan 05, 2003 at 06:32:53PM -0600, Rob Browning wrote:
> jw schultz <[EMAIL PROTECTED]> writes:
>
> > A general purpose wrapper could be done but you would have to have
> > ways to tell it to require these options, disallow these options,
> > which of those options require args, and what ar
jw schultz <[EMAIL PROTECTED]> writes:
> A general purpose wrapper could be done but you would have to have
> ways to tell it to require these options, disallow these options,
> which of those options require args, and what arguments must match
> what patterns. A full implementation would probabl
Rob Browning wrote
> Aaron Morris <[EMAIL PROTECTED]> writes:
>
> > I only mention this because I do not believe most people even realize
> > there is this other mode to rsync. I tried describing it to a
> > co-worker who uses rsync regularly, but he kind of just stared at me
> > blankly.
>
> Ri
Aaron Morris <[EMAIL PROTECTED]> writes:
> I only mention this because I do not believe most people even realize
> there is this other mode to rsync. I tried describing it to a
> co-worker who uses rsync regularly, but he kind of just stared at me
> blankly.
Right. I was aware of that mode, but
On Sun, Jan 05, 2003 at 11:30:41AM -0600, Rob Browning wrote:
>
> I was wondering if it's possible to restrict rsync in various ways on
> the server side when it is invoked via ssh. Two restrictions I had in
> mind are disallowing deletes and/or restricting all actions to a
> particular subdirect
I do not think you can use it with ssh, but if you use rsync in rsync
mode (::) instead of just an interface to rsh (:), you can limit the
directories where you can transfer files (using modules). This involves
setting up the rsync daemon on the server side. The rsync daemon has
the ability t
I was wondering if it's possible to restrict rsync in various ways on
the server side when it is invoked via ssh. Two restrictions I had in
mind are disallowing deletes and/or restricting all actions to a
particular subdirectory. I was hoping to be able to do this without
having to be root (for
On Fri, Jun 07, 2002 at 11:09:58AM -0700, Mike Rubel wrote:
>
> > Somewhat belatedly, I can report that I use rysnc in daemon mode in
> > conjunction with an SSH tunnel, but using remote port forwarding. I
> > use the method to distribute password and shadow files.
>
> It seemed like this ought
> Somewhat belatedly, I can report that I use rysnc in daemon mode in
> conjunction with an SSH tunnel, but using remote port forwarding. I
> use the method to distribute password and shadow files.
It seemed like this ought to be possible.
So, out of curiousity, why does rsync include a "-e ssh
Dave Dykstra writes:
> On Wed, May 22, 2002 at 02:39:00PM -0700, Mike Rubel wrote:
> > This brings up an interesting question. Does anyone use the server
> > version of rsyncd with an ssh tunnel? In other words:
> >
> > On the server, bring up sshd listening on *:22, and rsyncd accepting
> > con
On Wed, May 22, 2002 at 02:39:00PM -0700, Mike Rubel wrote:
>
> > > If so, I am trying to find the best way to restrict rsync -e ssh on the
> > > remote machine. Prepending the authorized_keys entry with
> > > command='rsync ...' 1024... results in the 'Protocol mismatch - is your
> > > shell cl
2002-05-29-15:55:09 Brian D. Hamm:
> No harsh programming statements please this was my first crack at Perl
> :)
I'll avoid any harsh statements:-).
Your code is not particularly idiomatic perl, but it's exceptionally
clear, and as far as I can see correct. You note in a comment one
spot where y
= localtime;
print SSHOUT ("$now RSYNC COMPLETE\n\n");
} else {
print SSHOUT ("$now RSYNC REQUEST FAILED INSPECTION - SKIPPING
RSYNC\n\n"); }
close (SSHOUT);
Brian D. Hamm, CISSP, CCNA
Network Design & Implementation
(o) 727-939-3080
(c) 727-424-4384
(f) 240-266-7
On Wed, May 29, 2002 at 11:04:37AM -0600, [EMAIL PROTECTED] wrote:
> I don't know ssh well enough to know whether it passes parameters besides
> the ones specified in authorized_keys. I think it passes parameters,
> though, because rsync over ssh is the basis of the IBM Content Promotion
> Too
cc: [EMAIL PROTECTED]
(bcc: Tim Conway/LMT/SC/PHILIPS)
Subject:Re: restricting rsync over ssh
Classification:
On Wed, May 22, 2002 at 10:01:27PM -0400, Brian D. Hamm wrote:
> The --server --sender options left me a little confused. I understand
> what they st
On Wed, May 22, 2002 at 10:01:27PM -0400, Brian D. Hamm wrote:
> The --server --sender options left me a little confused. I understand
> what they stand for but these options are not in the help and they don't
> appear to be variables.
Yes indeed, as I tried to indicate, rsync has a private proto
ssage-
From: Bennett Todd [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 4:23 PM
To: Brian D. Hamm
Cc: [EMAIL PROTECTED]
Subject: Re: restricting rsync over ssh
2002-05-22-14:00:27 Brian D. Hamm:
> Is it true that when running rsync via ssh (i.e. rsync -e ssh ...)
> the rsyncd
".\n" '
"There are some who call me Tim?"
"Brian D. Hamm" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
05/22/2002 12:00 PM
To: <[EMAIL PROTECTED]>
cc: (bcc: Tim Conway/LMT/SC/PHILIPS)
Subject:restrict
> > If so, I am trying to find the best way to restrict rsync -e ssh on the
> > remote machine. Prepending the authorized_keys entry with
> > command='rsync ...' 1024... results in the 'Protocol mismatch - is your
> > shell clean?' error.
This brings up an interesting question. Does anyone use
2002-05-22-14:00:27 Brian D. Hamm:
> Is it true that when running rsync via ssh (i.e. rsync -e ssh ...)
> the rsyncd.conf file is not applicable [...]
Yup. Exactly right. When you're using ssh (or rsh, as far as rsync
is concerned they're interchangeable plug parts) the rsync client
you invoke fr
Is it true that when running rsync via ssh (i.e. rsync -e ssh ...) the
rsyncd.conf file is not applicable on the remote since rsync is launched
via the ssh exec call once connected rather than from rsyncd as in a
direct connect.
If so, I am trying to find the best way to restrict rsync -e ssh on
32 matches
Mail list logo
