Hoo, quite a storm my little gumby question produced ... <grin> Thanks, all, for the advice of the -l switch. I shall think about whether to use it, or whether to pipe rsync's output to /dev/null for the cron job ...
The messages "Skipping non-regular file" seem a little ambiguous to me. As far as I can determine, the symlinks are correct ,,, and I assume that if some symlinks changed on the remote site, then rsync would fix mine, as long as I enable "-l". How about using hard links on the main site, and then we can use the -H option with rsync? Then we'd have none of this worrying about bad symlinks. <smile> Seriously though ... on the "how to mirror" page, the instructions are to use only the -rtvz flags. For those of us with existing mirrors, then our symlinks will already be okay. However, if someone was starting up a fresh one, or the main site changes their symlinks, then that rsync command will not produce a faithful mirror of the site. P'raps the -a flag is okay then, in that light? (more comments below this lot) Wojtek Sylwestrzak said: > > > > > > Uhm, is it fine ? > > > use -l option to copy symlinks (unless you don't want them for a reason). > > > > Sure, and then if someone breaks into taz and puts a symlink "foo -> /" > > then rsync will copy it... which is fine for chroot'd ftpds. But if you > > also serve that filespace via a non-chrooted httpd, then you could be > > opening yourself up to something you don't want. > > > > Dean > > > > Yes, any solution to this ? > Perhaps areas being mirrored shouldn't have symlinks in the first place, > and then the mirror process (be it mirror, rsync or whatever) should > not copy symlinks, assuming they shouldn't exist in the origin server ? > > This seems a more general issue about mirrors accessible outside > chroot env, though. > > we are running hundreds of mirrors, and most of them use symlinks internally, > so we cannot ignore this. On the other hand, we make them all accessible > with httpd that follows symlinks. We are being quite naive here :-( > > --w We're not running hundreds of mirrors, but we do have a few. wu-ftpd is chrooted, which is fine, and we also serve the files by http, using Apache. I followed the advice on Apache's "Security Tips" page, and did a <Directory /> directive, making / unavailable, and then turning access back on for the anonymous ftp directory. This way, a symlink to / might be visible, and FollowSymLinks might be on, but the server should not be able to read what the symlink points to. I strongly advise other people to do the same if they haven't done so already. Read "docs/misc/security_tips.html" in your mirror for more info. :) Regards, Andrew. -- Andrew Shugg FTP Administrator E-mail: [EMAIL PROTECTED] Informed Technology Web: http://www.it.net.au/
