I disagree that "nobody uses rsyncd at all" unless you mean specifically to exclude use of rsync in daemon mode over ssh transport or other secure transport. I've seen it used (and still see it used) many places, and generally for the same reason - to enforce rsync configuration in a way the client cannot override, while obtaining the markedly superior security properties of SSH or TLS transport. The typical patterns are either:
1) Force use of rsync as the user's login shell (note that OpenSSH "ForceCommand" is not sufficient if the user has access to write the underlying filesystem, as ForceCommand uses the login shell to execute the command, and can be spoofed if the user can write the shell startup files). 2) Put rsync --daemon behind stunnel or similar TLS-speaking proxy that can do the desired kind of authentication. Thor -----Original Message----- From: rsync <[email protected]> On Behalf Of Paul Slootman via rsync Sent: Sunday, April 12, 2026 10:07 AM To: [email protected] Subject: Re: rsync readonly mode? On Fri 10 Apr 2026, Kevin Korb via rsync wrote: > > I didn't mean that almost nobody uses the read only option in rsyncd.conf. > I meant that almost nobody uses rsyncd at all. Publishing publicly > available read only repositories is one of the things it is still used for. I use it extensively for backups in our "private cloud" network, and elsewhere, together with appropriate firewall rules. I trust rsyncd with appropriate "hosts allow", "uid" and "read only = yes" in de modules definitions more than hoping that no one ever makes an error in locking down root ssh access. > Rsync over ssh isn't just about encryption it is also about the far > superior authentication capabilities of ssh. Like ssh keys. This is > especially important when rsyncing as root for system backups. FWIW the (admittedly) simplistic rsync authentication can add a bit more security to an rsyncd setup. Paul -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
