Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach

2022-03-14 Thread Nick Cleaton via rsync 
On Sat, 12 Mar 2022 at 08:45, Florian Sager via rsync 
wrote:

> Hi,
>
> I gave up using rrsync some years ago because of
> a) potential security issues with path references that can occur within
> the rsync execution in the call of rrsync
> b) possibly unmatched rsync options (rrsync must be kept up-to-date to
> match new options _and_ some options need to be intentionally removed that
> may be required)
>
> So my solution on this is:
>
> - a login script (with suid bit in my case)
>
> - that creates/starts a docker image that limits path access and maps libs
> / rsync binary to be available in a limited environment, e.g. "alpine"
>
> DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only --rm
> --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro -v
> /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
> $DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE
> $SSH_ORIGINAL_COMMAND 2>/dev/null
>
> If anybody sees security problems with this approach please tell us.
>

I like the approach of using mounts to limit the paths that rsync can
interact with, using docker like this or something else such as
https://github.com/google/nsjail - but I might be a bit worried about
allowing the user to run whatever commands they like, even inside such a
tightly restricted container, if the client is at a much lower level of
trust than the server.

There's no reason that this can't be combined with rrsync or any of the
other methods described in this thread, for a "belt and braces" approach.

My personal favorite (which hasn't been mentioned yet) is to use rsync in
daemon mode over ssh. You set the forced command in the authorized_keys
line to something like "rsync --server --daemon --config
/path/to/rsyncd.conf" and in that config file you define rsyncd modules to
allow read/write or read-only access to various directories. You have to
call it differently in the client though, for example with a "target"
rsyncd module:

rsync -e ssh -a /foo "$server_hostname"::target/foo

... so I don't think this would work with the ansible rsync module without
some hackery like adding a script to act as the local rsync client binary
and having that script transform its arguments and call the real rsync.
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach

2022-03-12 Thread Florian Sager via rsync 

Hi,

I gave up using rrsync some years ago because of
a) potential security issues with path references that can occur within 
the rsync execution in the call of rrsync
b) possibly unmatched rsync options (rrsync must be kept up-to-date to 
match new options _and_ some options need to be intentionally removed 
that may be required)


So my solution on this is:

- a login script (with suid bit in my case)

- that creates/starts a docker image that limits path access and maps 
libs / rsync binary to be available in a limited environment, e.g. "alpine"


DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only 
--rm --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro 
-v /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
$DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE 
$SSH_ORIGINAL_COMMAND 2>/dev/null


If anybody sees security problems with this approach please tell us.

Best regards
Florian



Am 12.03.22 um 07:36 schrieb Bri Hatch via rsync:



On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
 wrote:


Rsync includes a script named rrsync that handles this perfectly.


And authprogs provides similar functionality, though you use yaml to 
define what is/isn't allowed. However it does allow you to use one SSH 
identity for potentially many different source dirs rather than 
requiring a separate authorized_key entry for each forced command.


example:

- rule_type: rsync
      allow_donwload: true
      allow_recursive: true
      paths:
        - /etc
        - /srv/freezeray
      path_startswith:
        - /srv/web

https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules



On 3/12/22 01:08, Richard Hector via rsync wrote:
> On 12/03/22 18:38, Richard Hector via rsync wrote:
>> And I do my backups (using dirvish) as root, using a key with a
forced
>> command.
>
> FWIW, that forced command is here:
>
> https://github.com/rwhector/dirvish-forced-command
>
> It's rather unpolished and undocumented, but comments very
welcome :-)
>
> I've also had an issue due to some server-side-only arguments to
rsync
> being undocumented, which means I can't validate them, and
basically
> have to accept anything ... I'd love to know why this is or has
to be
> the case :-) I didn't get any particularly useful answers back in
> January 2019 ...
>
> Cheers,
> Richard
>

-- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

        Kevin Korb                      Phone:    (407) 252-6853
        Systems Administrator           Internet:
        FutureQuest, Inc. ke...@futurequest.net  (work)
        Orlando, Florida k...@sanitarium.net (personal)
        Web page: https://sanitarium.net/
        PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

-- 
Please use reply-all for most replies to avoid omitting the

mailing list.
To unsubscribe or change options:
https://lists.samba.org/mailman/listinfo/rsync
Before posting, read:
http://www.catb.org/~esr/faqs/smart-questions.html



--
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even 
grown

 to like it. Oh yes."

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html