Re: Security issues when rsyncing directories as root

[Kevin Korb via rsync]

Use rrsync.  It comes with rsync (some silly Linux distros install it as
documentation instead of a helper script so you have to decompress it
and chmod +x it).  It is a perl script with all the documentation in the
comments.

Yes, it can be done with rsyncd as you described.  The rsyncd.conf file
would be in /root.  But rrsync is easier.

On 10/18/2018 10:31 AM, Marc Haber via rsync wrote:
> Hi,
> 
> I am using rsync to keep two directores on two servers in sync. Machine
> A, the "client" is the one where the rsync process is invoked, which
> then logs into Machine B, the "server" as root with ssh and a key. The
> key is restricted in /root/.ssh/authorized_keys to a script that checks
> wither $SSH_ORIGINAL_COMMAND matches the rsync --server command that I
> expect, such as, for example,
> rsync --server -re.iLsfxC --delete . /etc/dhcp/synced/
> 
> Unfortunately, this is rather restrictive and unflexible.
> 
> Things would be easier if rsync would have an option like
> --restrict-write, making rsync not write anywhere outside the path given
> there. That way, my script would be easier an I would only need to check
> server-wise whether the command line being called contains the
> --restrict-write option with the correct directory.
> 
> Would that make sense? Or am I more in the market for an rsync daemon
> with the "path" and "write only" options set? If so, would I need to
> have an rsync daemon _running_ on the remote side if I use the rsync
> --rsh=ssh /path/to/local/dir host::module syntax?
> 
> Greetings
> Marc
> 

-- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
Kevin Korb  Phone:(407) 252-6853
Systems Administrator   Internet:
FutureQuest, Inc.   ke...@futurequest.net  (work)
Orlando, Floridak...@sanitarium.net (personal)
Web page:   https://sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,



signature.asc
Description: OpenPGP digital signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Security issues when rsyncing directories as root

[Marc Haber via rsync]

Hi,

I am using rsync to keep two directores on two servers in sync. Machine
A, the "client" is the one where the rsync process is invoked, which
then logs into Machine B, the "server" as root with ssh and a key. The
key is restricted in /root/.ssh/authorized_keys to a script that checks
wither $SSH_ORIGINAL_COMMAND matches the rsync --server command that I
expect, such as, for example,
rsync --server -re.iLsfxC --delete . /etc/dhcp/synced/

Unfortunately, this is rather restrictive and unflexible.

Things would be easier if rsync would have an option like
--restrict-write, making rsync not write anywhere outside the path given
there. That way, my script would be easier an I would only need to check
server-wise whether the command line being called contains the
--restrict-write option with the correct directory.

Would that make sense? Or am I more in the market for an rsync daemon
with the "path" and "write only" options set? If so, would I need to
have an rsync daemon _running_ on the remote side if I use the rsync
--rsh=ssh /path/to/local/dir host::module syntax?

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html