Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach

2022-03-14 Thread Nick Cleaton via rsync 
On Sat, 12 Mar 2022 at 08:45, Florian Sager via rsync 
wrote:

> Hi,
>
> I gave up using rrsync some years ago because of
> a) potential security issues with path references that can occur within
> the rsync execution in the call of rrsync
> b) possibly unmatched rsync options (rrsync must be kept up-to-date to
> match new options _and_ some options need to be intentionally removed that
> may be required)
>
> So my solution on this is:
>
> - a login script (with suid bit in my case)
>
> - that creates/starts a docker image that limits path access and maps libs
> / rsync binary to be available in a limited environment, e.g. "alpine"
>
> DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only --rm
> --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro -v
> /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
> $DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE
> $SSH_ORIGINAL_COMMAND 2>/dev/null
>
> If anybody sees security problems with this approach please tell us.
>

I like the approach of using mounts to limit the paths that rsync can
interact with, using docker like this or something else such as
https://github.com/google/nsjail - but I might be a bit worried about
allowing the user to run whatever commands they like, even inside such a
tightly restricted container, if the client is at a much lower level of
trust than the server.

There's no reason that this can't be combined with rrsync or any of the
other methods described in this thread, for a "belt and braces" approach.

My personal favorite (which hasn't been mentioned yet) is to use rsync in
daemon mode over ssh. You set the forced command in the authorized_keys
line to something like "rsync --server --daemon --config
/path/to/rsyncd.conf" and in that config file you define rsyncd modules to
allow read/write or read-only access to various directories. You have to
call it differently in the client though, for example with a "target"
rsyncd module:

rsync -e ssh -a /foo "$server_hostname"::target/foo

... so I don't think this would work with the ansible rsync module without
some hackery like adding a script to act as the local rsync client binary
and having that script transform its arguments and call the real rsync.
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-13 Thread Carson Gaspar via rsync 

On 3/11/2022 4:39 AM, Dr. Mark Asbach via rsync wrote:
a) Using ssh-askpass, we can use the options -e "ssh -X" 
--rsync-path="sudo -A rsync" (see https://askubuntu.com/a/1167758). 
The problem in our scenario is that using ansible, we run the 
identical rsync command on multiple hosts in parallel (we target about 
32 VMs in one go). So the person running the script would have to 
enter the password into 32 dialogs exactly at the time they pop up.


You could use ssh-agent instead, and add either an ssh public key PAM 
module to sudo's stack (e.g. pam_ssh_agent_auth) or an ssh certificate 
PAM module (e.g. pam_ussh). Sadly, I'm unaware of a PAM module that 
supports both.





--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread raf via rsync 
On Fri, Mar 11, 2022 at 10:36:49PM -0800, Bri Hatch via rsync 
 wrote:

> On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
> wrote:
> 
> > Rsync includes a script named rrsync that handles this perfectly.
> 
> And authprogs provides similar functionality, though you use yaml to define
> what is/isn't allowed. However it does allow you to use one SSH identity
> for potentially many different source dirs rather than requiring a separate
> authorized_key entry for each forced command.
> 
> example:
> 
> - rule_type: rsync
>   allow_donwload: true
>   allow_recursive: true
>   paths:
> - /etc
> - /srv/freezeray
>   path_startswith:
> - /srv/web
> 
> https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules

And there's sshdo as well: https://github.com/raforg/sshdo
Like authprogs, it also works with any command, not just rsync.
And it almost configures itself with a learning mode to monitor
commands that need to be allowed. And it can relearn if commands
need to change over time, and unlearn old commands that are no
longer needed.

cheers,
raf


-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Richard Hector via rsync 

On 12/03/22 19:36, Bri Hatch via rsync wrote:
On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
mailto:rsync@lists.samba.org>> wrote:


Rsync includes a script named rrsync that handles this perfectly.


And authprogs provides similar functionality, though you use yaml to 
define what is/isn't allowed.


Thanks - I didn't look at this earlier. It looks like a more general 
alternative to my dirvish one. I'll have to investigate further.


Though my use of ansible has given me a general dislike of yaml :-)

Cheers,
Richard

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dr. Mark Asbach via rsync 
Hi there,

Thanks for your feedback!

> Bear in mind, putting a password in an environment variable can be seen by 
> other users on the same system with "ps auxwwe".


Sure. But in my scenario, the control host is considered a „safe“ developer 
machine, while the target host is considered the „unsafe“ environment. I use 
this command on my laptop to deploy to lots of cloud machines – there’s noone 
other than me on my laptop (hopefully ;-)), but instead, I’d like to keep the 
target machine configurations as secure as possible (no passwordless sudo, no 
root login).

> The environment variables of a process when it was started are available via 
> /proc//environ file. So while other users on that system can't see the 
> environ, every other process running as your target user could.
>
> Worse, however, your "echo" process puts the password in arguments, and any 
> local user can see program name and args for all running processes. That's a 
> no-no.

Hm, I’m not sure I understand the implications. The whole password handling 
happens on the machine where I execute rsync (it’s done in "--rsh" not in 
"--rsync-path“) – which in my scenario is a developer’s laptop. So it’s not the 
target users that can see the environment but only my own account on my own 
developer machine.

Plus, I don’t understand what you mean with „putting the password in 
arguments“. The environment variable expansion happens on my control machine 
exactly at the time when rsync tries to establish a connection to the target 
machine by running the shell code from --rsh inside a shell. This will create a 
subshell for echo and cat where the environment variable is read and written to 
stdout. stdout is then piped through ssh to the remote machine where "sudo -S" 
reads it on its stdin. It is never in any argument list.

Please correct me if I’m wrong here.

Best,
Mark

smime.p7s
Description: S/MIME cryptographic signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Bri Hatch via rsync 
The environment variables of a process when it was started are available
via /proc//environ file. So while other users on that system can't see
the environ, every other process running as your target user could.

Worse, however, your "echo" process puts the password in arguments, and any
local user can see program name and args for all running processes. That's
a no-no.



On Sat, Mar 12, 2022 at 2:14 PM Dan Stromberg via rsync <
rsync@lists.samba.org> wrote:

>
> On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync <
> rsync@lists.samba.org> wrote:
>
>> Hi there, hi past me,
>>
>> > My (non-working) attempt:
>> > […]
>> > So it seems the "-l" is dropped into the void letting ssh assume USER
>> was the target host? I don’t actually get what I can do.
>>
>> Turns out, I have to write down the description of my issue and then send
>> the email before I magically understand the solution ;-)
>>
>> Here’s a working example that does not need a wrapper script:
>>
>> PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c
>> "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"'
>> --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR
>>
>> The trick was actually to add "$0" because $* will drop the first
>> argument from the list as this typically is the name of the script itself
>> (duh!).
>>
>> Hope this is of help to anyone,
>>
>
> Cool, glad you found a solution you're happy with.
>
> Bear in mind, putting a password in an environment variable can be seen by
> other users on the same system with "ps auxwwe".
>
> --
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>


-- 
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even grown
 to like it. Oh yes."
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dan Stromberg via rsync 
On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync <
rsync@lists.samba.org> wrote:

> Hi there, hi past me,
>
> > My (non-working) attempt:
> > […]
> > So it seems the "-l" is dropped into the void letting ssh assume USER
> was the target host? I don’t actually get what I can do.
>
> Turns out, I have to write down the description of my issue and then send
> the email before I magically understand the solution ;-)
>
> Here’s a working example that does not need a wrapper script:
>
> PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c
> "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"'
> --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR
>
> The trick was actually to add "$0" because $* will drop the first argument
> from the list as this typically is the name of the script itself (duh!).
>
> Hope this is of help to anyone,
>

Cool, glad you found a solution you're happy with.

Bear in mind, putting a password in an environment variable can be seen by
other users on the same system with "ps auxwwe".
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dr. Mark Asbach via rsync 
Hi there, hi past me,

> My (non-working) attempt:
> […]
> So it seems the "-l" is dropped into the void letting ssh assume USER was the 
> target host? I don’t actually get what I can do.

Turns out, I have to write down the description of my issue and then send the 
email before I magically understand the solution ;-)

Here’s a working example that does not need a wrapper script:

PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c "{ 
echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"' --rsync-path='sudo 
-S rsync‘ ./SRCDIR USER@HOST:DSTDIR

The trick was actually to add "$0" because $* will drop the first argument from 
the list as this typically is the name of the script itself (duh!).

Hope this is of help to anyone,
Mark

smime.p7s
Description: S/MIME cryptographic signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dr. Mark Asbach via rsync 
Hi everyone,

Thanks for all the ideas! Meanwhile, I’ve made some progress because there was 
another answer on "ask ubuntu" that got absolutely no interaction but that is a 
brilliant solution:

https://askubuntu.com/a/1263657 :

> just create a wrapper script for the ssh command.
> ssh_sudo:
> {
>   echo $PASSWORD;
>   cat - ;
> } | ssh $* &
>
> At first, this passes the password to the ssh client's sudo process in order 
> to start rsync on the remote side. Next all input coming from the local rsync 
> is piped to ssh.
> Finally call rsync e.g. with:
> PASSWORD= rsync -avzue ssh_sudo --rsync-path "sudo -S rsync" SRC DST
>
> I guess the security aspect here is not that bad, you'll only have to save 
> the password locally as env var. Reading it from a file should work as well...


As it doesn’t need an argpass-script on the target side, but uses a wrapper for 
ssh on the HOST side to inject the password from an environment variable, it’s 
pretty convenient for my use case. Plus, there’s the added bonus of not having 
the password logged anywhere.

Ideally, I would now like to get rid of the helper script, so it’s a single 
rsync command that is left. I’m struggling with this but there’ll hopefully be 
some bash quoting wizards that can tell me where the issue is.

My (non-working) attempt:

PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c "{ 
echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $* &"' --rsync-path='sudo -S 
rsync‘ ./SRCDIR USER@HOST:DSTDIR

This get’s mangled by rsync in some non-working way, but I actually don’t 
understand enough of shell magic to solve this:

opening connection using: /bin/sh -c "{ echo $PASSWORD; cat - ; } | ssh -i 
~/.ssh/id.key $* &" -l USER HOST "sudo -S rsync" --server -vvvlDtrze.iLsfxCIvu 
"--log-format=%i" --delete-after --delay-updates . DESTDIR  (14 args)
ssh: Could not resolve hostname USER: nodename nor servname provided, or not 
known
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(228) 
[sender=3.2.3]

So it seems the "-l" is dropped into the void letting ssh assume USER was the 
target host? I don’t actually get what I can do.

Anyway, I think the original answer on "ask ubuntu" is quite helpful. 
Unfortunately, I don’t have enough „reputation points“ to upvote the answer nor 
to comment …

Happy syncing,
Mark

smime.p7s
Description: S/MIME cryptographic signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach

2022-03-12 Thread Florian Sager via rsync 

Hi,

I gave up using rrsync some years ago because of
a) potential security issues with path references that can occur within 
the rsync execution in the call of rrsync
b) possibly unmatched rsync options (rrsync must be kept up-to-date to 
match new options _and_ some options need to be intentionally removed 
that may be required)


So my solution on this is:

- a login script (with suid bit in my case)

- that creates/starts a docker image that limits path access and maps 
libs / rsync binary to be available in a limited environment, e.g. "alpine"


DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only 
--rm --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro 
-v /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
$DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE 
$SSH_ORIGINAL_COMMAND 2>/dev/null


If anybody sees security problems with this approach please tell us.

Best regards
Florian



Am 12.03.22 um 07:36 schrieb Bri Hatch via rsync:



On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
 wrote:


Rsync includes a script named rrsync that handles this perfectly.


And authprogs provides similar functionality, though you use yaml to 
define what is/isn't allowed. However it does allow you to use one SSH 
identity for potentially many different source dirs rather than 
requiring a separate authorized_key entry for each forced command.


example:

- rule_type: rsync
      allow_donwload: true
      allow_recursive: true
      paths:
        - /etc
        - /srv/freezeray
      path_startswith:
        - /srv/web

https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules



On 3/12/22 01:08, Richard Hector via rsync wrote:
> On 12/03/22 18:38, Richard Hector via rsync wrote:
>> And I do my backups (using dirvish) as root, using a key with a
forced
>> command.
>
> FWIW, that forced command is here:
>
> https://github.com/rwhector/dirvish-forced-command
>
> It's rather unpolished and undocumented, but comments very
welcome :-)
>
> I've also had an issue due to some server-side-only arguments to
rsync
> being undocumented, which means I can't validate them, and
basically
> have to accept anything ... I'd love to know why this is or has
to be
> the case :-) I didn't get any particularly useful answers back in
> January 2019 ...
>
> Cheers,
> Richard
>

-- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

        Kevin Korb                      Phone:    (407) 252-6853
        Systems Administrator           Internet:
        FutureQuest, Inc. ke...@futurequest.net  (work)
        Orlando, Florida k...@sanitarium.net (personal)
        Web page: https://sanitarium.net/
        PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

-- 
Please use reply-all for most replies to avoid omitting the

mailing list.
To unsubscribe or change options:
https://lists.samba.org/mailman/listinfo/rsync
Before posting, read:
http://www.catb.org/~esr/faqs/smart-questions.html



--
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even 
grown

 to like it. Oh yes."

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Richard Hector via rsync 
Also, it appears that it requires the allowed directory to be specified 
in authorized_keys. Mine uses an external list of allowed directories, 
so I don't need lots of lines (and separate keys?) in authorized_keys in 
order to deal with the several directories I back up per host.


Cheers,
Richard

On 12/03/22 21:01, Richard Hector via rsync wrote:
It may do the job; it doesn't AFAIK explain why the options are 
undocumented :-)


Cheers,
Richard

On 12/03/22 19:22, Kevin Korb via rsync wrote:

Rsync includes a script named rrsync that handles this perfectly.

On 3/12/22 01:08, Richard Hector via rsync wrote:

On 12/03/22 18:38, Richard Hector via rsync wrote:
And I do my backups (using dirvish) as root, using a key with a 
forced command.


FWIW, that forced command is here:

https://github.com/rwhector/dirvish-forced-command

It's rather unpolished and undocumented, but comments very welcome :-)

I've also had an issue due to some server-side-only arguments to 
rsync being undocumented, which means I can't validate them, and 
basically have to accept anything ... I'd love to know why this is or 
has to be the case :-) I didn't get any particularly useful answers 
back in January 2019 ...


Cheers,
Richard









--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Richard Hector via rsync 
It may do the job; it doesn't AFAIK explain why the options are 
undocumented :-)


Cheers,
Richard

On 12/03/22 19:22, Kevin Korb via rsync wrote:

Rsync includes a script named rrsync that handles this perfectly.

On 3/12/22 01:08, Richard Hector via rsync wrote:

On 12/03/22 18:38, Richard Hector via rsync wrote:
And I do my backups (using dirvish) as root, using a key with a 
forced command.


FWIW, that forced command is here:

https://github.com/rwhector/dirvish-forced-command

It's rather unpolished and undocumented, but comments very welcome :-)

I've also had an issue due to some server-side-only arguments to rsync 
being undocumented, which means I can't validate them, and basically 
have to accept anything ... I'd love to know why this is or has to be 
the case :-) I didn't get any particularly useful answers back in 
January 2019 ...


Cheers,
Richard






--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-11 Thread Bri Hatch via rsync 
On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
wrote:

> Rsync includes a script named rrsync that handles this perfectly.
>

And authprogs provides similar functionality, though you use yaml to define
what is/isn't allowed. However it does allow you to use one SSH identity
for potentially many different source dirs rather than requiring a separate
authorized_key entry for each forced command.

example:

- rule_type: rsync
  allow_donwload: true
  allow_recursive: true
  paths:
- /etc
- /srv/freezeray
  path_startswith:
- /srv/web

https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules




>
> On 3/12/22 01:08, Richard Hector via rsync wrote:
> > On 12/03/22 18:38, Richard Hector via rsync wrote:
> >> And I do my backups (using dirvish) as root, using a key with a forced
> >> command.
> >
> > FWIW, that forced command is here:
> >
> > https://github.com/rwhector/dirvish-forced-command
> >
> > It's rather unpolished and undocumented, but comments very welcome :-)
> >
> > I've also had an issue due to some server-side-only arguments to rsync
> > being undocumented, which means I can't validate them, and basically
> > have to accept anything ... I'd love to know why this is or has to be
> > the case :-) I didn't get any particularly useful answers back in
> > January 2019 ...
> >
> > Cheers,
> > Richard
> >
>
> --
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
> Kevin Korb  Phone:(407) 252-6853
> 
> Systems Administrator   Internet:
> FutureQuest, Inc.   ke...@futurequest.net  (work)
> Orlando, Floridak...@sanitarium.net (personal)
> Web page:   https://sanitarium.net/
> PGP public key available on web site.
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
>
> --
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>


-- 
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even grown
 to like it. Oh yes."
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-11 Thread Kevin Korb via rsync 

Rsync includes a script named rrsync that handles this perfectly.

On 3/12/22 01:08, Richard Hector via rsync wrote:

On 12/03/22 18:38, Richard Hector via rsync wrote:
And I do my backups (using dirvish) as root, using a key with a forced 
command.


FWIW, that forced command is here:

https://github.com/rwhector/dirvish-forced-command

It's rather unpolished and undocumented, but comments very welcome :-)

I've also had an issue due to some server-side-only arguments to rsync 
being undocumented, which means I can't validate them, and basically 
have to accept anything ... I'd love to know why this is or has to be 
the case :-) I didn't get any particularly useful answers back in 
January 2019 ...


Cheers,
Richard



--
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
Kevin Korb  Phone:(407) 252-6853
Systems Administrator   Internet:
FutureQuest, Inc.   ke...@futurequest.net  (work)
Orlando, Floridak...@sanitarium.net (personal)
Web page:   https://sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-11 Thread Richard Hector via rsync 

On 12/03/22 18:38, Richard Hector via rsync wrote:
And I do my backups (using dirvish) as root, using a key with a forced 
command.


FWIW, that forced command is here:

https://github.com/rwhector/dirvish-forced-command

It's rather unpolished and undocumented, but comments very welcome :-)

I've also had an issue due to some server-side-only arguments to rsync 
being undocumented, which means I can't validate them, and basically 
have to accept anything ... I'd love to know why this is or has to be 
the case :-) I didn't get any particularly useful answers back in 
January 2019 ...


Cheers,
Richard

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-11 Thread Richard Hector via rsync 

On 12/03/22 06:06, Dr. Mark Asbach via rsync wrote:

Hi Dan,


Why not rsync directly as root?  Then you can use a passwordless, 
passphraseless RSA (or similar) keypair.


I'm not saying I agree with this, but ...


That’s because these are cloud instances that get maintained by multiple 
admins. If we require all of them to log in as root, we would have to share the 
root password


Not if you use ssh keys - just put each admin's public key in root's 
authorized_keys file.


 – and that would on one hand be a security/maintainability issue (if 
one person leaves the team, we’ll have to change and redistribute the 
root password),


Just delete their key.

 on the other hand it would violate accountability (log files would 
only show logins by „root“ and after an issue, there would be no chance 
to know whom to ask about strange things).


Harder, I think. I think with verbose logging, you can see the 
fingerprint of the key that was used, but that seems a bit messy.


 Both are the typical reasons for not using root accounts but going for 
sudo instead …


I tend to agree with using sudo :-)

OTOH, I have an ansible user that can sudo with no password.

And I do my backups (using dirvish) as root, using a key with a forced 
command.


Maybe that's an option? Each admin has a special key pair for this 
purpose, that allows login as root, but has a forced command on the 
server to do this rsync?


Cheers,
Richard

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-11 Thread Wayne Davison via rsync 
On Fri, Mar 11, 2022 at 4:57 AM Dr. Mark Asbach via rsync <
rsync@lists.samba.org> wrote:

> b) Passing the password to sudo via stdin using --rsync-path "echo
> MYPASSWORD | sudo -S rsync" (see https://askubuntu.com/a/1155897).


In that ask-ubuntu example they are running a client rsync via sudo, not
the server side.  The server requires the socket to be on stdin, so you
can't use stdin earlier on the command-line for something else.

One thing you could do is to create a custom askpass script that provides
the password on stdout. You must put that script on each remote system
because the SUDO_ASKPASS environment variable must only contain a program
name, so it will not allow a one-line remote invocation (i.e.
SUDO_ASKPASS="echo FOO" fails). For example, create a shell script named
something like echo-askpass:

#!/bin/sh
echo "$SUDO_PASS"

and then use this option to rsync:

--rsync-path "SUDO_ASKPASS=/path/echo-askpass SUDO_PASS=MYPASS sudo -A
rsync"

You could simplify that by moving those environment variables into your
ansible config, perhaps by grabbing the password out of the ansible vault
or having ansible prompt the user. That would let you run "sudo -A rsync"
and not have the password in the command.  The ansible docs detail how to
set remote environment variables.

..wayne..
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-11 Thread Dr. Mark Asbach via rsync 
Hi Dan,

> Why not rsync directly as root?  Then you can use a passwordless, 
> passphraseless RSA (or similar) keypair.

That’s because these are cloud instances that get maintained by multiple 
admins. If we require all of them to log in as root, we would have to share the 
root password – and that would on one hand be a security/maintainability issue 
(if one person leaves the team, we’ll have to change and redistribute the root 
password), on the other hand it would violate accountability (log files would 
only show logins by „root“ and after an issue, there would be no chance to know 
whom to ask about strange things). Both are the typical reasons for not using 
root accounts but going for sudo instead …

Thanks anyway. Every idea helps!

Mark

smime.p7s
Description: S/MIME cryptographic signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-11 Thread Dan Stromberg via rsync 
Why not rsync directly as root?  Then you can use a passwordless,
passphraseless RSA (or similar) keypair.

On Fri, Mar 11, 2022 at 4:58 AM Dr. Mark Asbach via rsync <
rsync@lists.samba.org> wrote:

> Hi there,
>
> We are using ansible to deploy system configuration and web application
> source code to clusters of Linux computers. One part of this process
> requires transferring large directories to the target hosts, which is done
> using the „synchronize“ command in ansible that is in turn a wrapper around
> rsync. This work great in most scenarios, but we run into an issue with a
> specific (albeit for us: prominent) use case:
>
> - We try to have rsync connect over ssh using a non-privileged user
> account.
> - The account is set up for publickey authentication, so we can use ‚rsync
> -e „ssh -i /home/user/.ssh/some_id“‘.
> - On the target side, we want to escalate privileges for rsync, which we
> try using ‚rsync --rsync-path=„sudo rsync“‘.
>
> This whole scenario works fine, as long as for the ssh account we use for
> logging in, passwordless sudo is set up on the target. For security
> reasons, we do not want to go this route. Instead, we want to supply the
> user’s password for gaining privileges. On the web, I’ve found to
> suggestions for solving this:
>
> a) Using ssh-askpass, we can use the options -e "ssh -X"
> --rsync-path="sudo -A rsync" (see https://askubuntu.com/a/1167758). The
> problem in our scenario is that using ansible, we run the identical rsync
> command on multiple hosts in parallel (we target about 32 VMs in one go).
> So the person running the script would have to enter the password into 32
> dialogs exactly at the time they pop up.
>
> b) Passing the password to sudo via stdin using --rsync-path "echo
> MYPASSWORD | sudo -S rsync" (see https://askubuntu.com/a/1155897). This
> has the potential security implication that if the calling line is stored
> somewhere in a shell history file of the control host, the password will be
> breached, but there’s a couple of measures we can take so mitigate that.
> However, I fail at getting this to run.
>
> Here’s a sample command that I get out of a patched ansible „synchronize“
> command. I’m trying to connect to a Ubuntu 18.04 VM with the user account
> „mark“ that is in the „sudoers“ group but does not have „NOPASSWD“ set, so
> running „sudo“ for the first time in a session will require to enter the
> password for „mark“ which here is „test“:
>
> rsync --delay-updates -F --compress --delete-after --archive --no-perms
> --no-owner --no-group --rsh='/usr/bin/ssh -S none -i ~/ssh/some_private_key
> -o Port= -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'
> --rsync-path='echo test | sudo -S -u root rsync 2>/dev/null'
> --out-format='<>%i %n%L' ~/test_source_dir mark@127.0.0.1:
> /some/test_target_dir
>
> This is what I get:
> > Warning: Permanently added '[127.0.0.1]:' (ED25519) to the list of
> known hosts.
> > rsync: connection unexpectedly closed (0 bytes received so far) [sender]
>
> As far as I understand, this could be due to "sudo -S" prompting for the
> password and that prompt interfering with the rsync communications.
> However, I’m out of ideas what I could do to get around that.
>
> Help would be greatly appreciated ;-)
>
> Thanks and greetings from Cologne,
> Mark--
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html