Re: Enhanced authentication and authorization in rsyncd
A slightly better patch file (removed some warnings). On Wed, Aug 26, 2009 at 5:52 PM, Amir Rapsonamir.rap...@gmail.com wrote: Hi, I added a few things to allow the rsync daemon more refined authorization and authentication than the current implementation. The attached patch file is against the 3.0.6 version. Additions: 1. allow the uid and gid used to access a certain module to be determined by the authenticated user - uid = __auth__ will use the auth_user's uid gid = __auth__ will use the auth user's main group's gid 2. seteuid and not just setuid 3. added rw users to allow read/write access to a module, ro users to allow read only access to a module and deny users. read only on the module overrides the user's authorization. 4. added support for groups - with a '@' prefix. For instance: auth users = tridge, susan, @rsync_users Authorization logic: 1. If the ACL contains a user-specific rule that matches the user, then the user is granted rights according to this rule (including denying access if the permission is none). 2. If the ACL contains a group-rule that denies access of a group the user belongs to (permission=none), then access is denied. 3. If the ACL contains a group-rule that grants read/write access to a group the user belongs to, then the user gets read/write access 4. If the ACL contains a group-rule that grants read-only access to a group the user belongs to, then the user gets read-only access 5. The user is authorized access (for backward compatibility with older rsync versions) Please consider commiting this patch for future releases of rsync. Thanks, Amir rsync_auth.patch Description: Binary data -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: content of file
Basically, I am trying to read a file on the network without taking up all of my bandwidth. Typically, I rsync the file very slowly with bwlimits and do a tail -f | grep foo Instead of copying the whole file, I rather use some sort of pipe. thats all On Fri, Aug 28, 2009 at 2:23 PM, Matt McCutchenm...@mattmccutchen.net wrote: On Thu, 2009-08-27 at 22:57 -0400, Mag Gam wrote: Is it possible to stream the content of a file using rsync to stdout instead of placing it into a file? No. Consider rdiff, which lets you call each of the three steps of the delta-transfer algorithm from a script. Or if you explain your use case further, I might have more ideas. -- Matt -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Using rsync to backup remote server as root
On Thu, 27 Aug 2009 16:30:55 +1200, Nathan Ward wrote: --rsync-path=sudo rsync Another way to achieve something similar would be to have PermitRoot set to without-password, and then set up a key pair for remote login. In authorized_keys2, the remote access for this key pair can be limited to the rsync command. When considering these, be sure to look at your security goals and how they're impacted. In the sudo case, you're giving a user account the ability to run rsync as root. That is, effectively, read-write access to everything. In the without-password case, you're giving similar access to anyone that has access to the private key (though you can limit this to a given IP address in authorized_keys2). It goes further than this (ie. the sudo case is also giving that read- write access to the remote user running the backup command). I'd want to give this some careful thought before choosing. There's also the possibility of combining the two ideas. The remote user logs into a local non-root user. This is done using a key pair, and the local user has no password (so no password attacks on the local user account). The key pair, via authorized_keys2, has access only to the sudo rsync command. - Andrew -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: snapshot support in rsync
On Fri, 28 Aug 2009 10:51:31 +0530, Jignesh Shah wrote: Could you please let me know if there is any way to get rid of this error message in rsync-3.0.6? Rsync cannot do this [as far as I know], but there are other tools. For example, if you use LVM for managing your volumes (and you should if you've no other volume management in use), then you can use lvcreate -s to create a snapshot of the volume. This does as you desire: it provides an instantaneous frozen copy of the volume's content. Be sure to remove the snapshot when it is no longer needed. They do consume increasing space in the underlying storage over time. If you use something other than LVM, then there is likely an equivalent to lvcreate -s. - Andrew -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: rsync proxy
On Wed, 2009-08-26 at 22:12 +1200, Nathan Ward wrote: I'm trying to write an rsync 'proxy' of sorts. The plan is that my code runs on two machines (one 'client' and one 'server') and each piece of code executes a copy of rsync, and copies move in one direction (server - client). I have been able to run rsync on the 'server' end by calling it with -- server --sender and so on. On the client end I have rsync call my code with -e my_code, however I am trying to make it so that on the 'client' end, I can have my code call rsync, instead of the other way around. When I call --server on the 'client' end, rsync seems to handshake OK, but I get buffer overflow errors: snip ERROR: buffer overflow in recv_rules [sender] rsync error: error allocating core memory buffers (code 22) at / SourceCache/rsync/rsync-35.2/rsync/util.c(121) [sender=2.6.9] /snip The above is sent from the 'server' to the 'client'. Before I go delving in to the code, is --server supposed to be used in this way? I am basically attempting to join two rsync processes both running --server, but only one running --sender. No, that will not work. The rsync protocol requires one client and one server. See https://bugzilla.samba.org/show_bug.cgi?id=5220 for some ideas on how to call an rsync client from your code and get it to use your existing connection. The background here is I'm writing a backup tool and need to do a few more things than rsync can do alone, but there's no point replicating the stuff that rsync *can* do. I also don't want to use the rsync daemon, nor do I want to have a user account that is remotely accessible in order to get rsync over ssh going. Yes I know there are solutions for parts of this, but I want to write this tool all the same. Indeed, there may be better solutions for the whole thing if you explain your use case further. -- Matt -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: rsync proxy
On 31/08/2009, at 1:24 PM, Matt McCutchen wrote: On Wed, 2009-08-26 at 22:12 +1200, Nathan Ward wrote: I'm trying to write an rsync 'proxy' of sorts. The plan is that my code runs on two machines (one 'client' and one 'server') and each piece of code executes a copy of rsync, and copies move in one direction (server - client). I have been able to run rsync on the 'server' end by calling it with -- server --sender and so on. On the client end I have rsync call my code with -e my_code, however I am trying to make it so that on the 'client' end, I can have my code call rsync, instead of the other way around. When I call --server on the 'client' end, rsync seems to handshake OK, but I get buffer overflow errors: snip ERROR: buffer overflow in recv_rules [sender] rsync error: error allocating core memory buffers (code 22) at / SourceCache/rsync/rsync-35.2/rsync/util.c(121) [sender=2.6.9] /snip The above is sent from the 'server' to the 'client'. Before I go delving in to the code, is --server supposed to be used in this way? I am basically attempting to join two rsync processes both running --server, but only one running --sender. No, that will not work. The rsync protocol requires one client and one server. Ok, I wasn't sure whether client vs. server was inferred by the inclusion/exclusion of the --sender parameter or not. It makes sense that it is not. See https://bugzilla.samba.org/show_bug.cgi?id=5220 for some ideas on how to call an rsync client from your code and get it to use your existing connection. Ok, interesting. I'm currently more or less doing what you talk about in comment #2 on that bug, as a stop gap. It's ideal that I can use a stock rsync. I think. Maybe I can include a patched one with my tool.. Then again it's not that important, it would make performance a little better but the bottleneck here is the network. Something to ponder, anyway. The background here is I'm writing a backup tool and need to do a few more things than rsync can do alone, but there's no point replicating the stuff that rsync *can* do. I also don't want to use the rsync daemon, nor do I want to have a user account that is remotely accessible in order to get rsync over ssh going. Yes I know there are solutions for parts of this, but I want to write this tool all the same. Indeed, there may be better solutions for the whole thing if you explain your use case further. Like I say, I'm writing a backup tool. The tool contains a server and a client, where one connects to the other and TLS happens to encrypt and authenticate the session. Then certain 'pre/post-backup' commands can be passed across, for example taking and mounting an LVM snapshot, flushing logs, whatever. This ability to pass some (perhaps pre- defined) commands across is a common feature of backup tools, and is obviously really useful. Intricacies of this are still being figured out. I'm trying to get the basics working first. Using ssh+sudo for the transport+commands+etc. is a bit of a kludge, from my POV anyway. I'm running Bacula right now, but am looking to move towards something using hard linked trees, i.e. rsync's --link-dest. I'm currently doing a full backup each month, and various daily/weekly things from that. I end up burning far too much disk space and bandwidth pulling it down fresh each month. -- Nathan Ward -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
