I looked into rsync access security a bit further. It seems that there are still some possible security risks with symlinks being able to access files outside of the rsync root directory. That is probably why Fedora SELinux is configured to prevent general file access by an rsync daemon, which is probably worth not trying to circumvent for BackupPC.
It is possible to run rsync in daemon mode over ssh, without actually running an rsync daemon. Look for "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION" in the rsync man page. This gives all the controls of rsyncd.conf, without having to actually run a daemon. That way, rsyncd is not left open for local privileged access, and it is possible to use the chroot option. I think this will avoid problems with the SELinux rsyncd configuration as well. Also, I think that sudo can be used effectively by giving permission to run and rsync proxy, instead of rsync. That gives the normal sudo access control, but also allows for additional restrictions built in to the rsync proxy. I just need to figure out how to get BackupPC to directly use the rsyncd protocol over ssh, and the rest will be easy. Joe ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ BackupPC-users mailing list [email protected] List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: http://backuppc.wiki.sourceforge.net Project: http://backuppc.sourceforge.net/
