Hi, I added a few things to allow the rsync daemon?more refined authorization and authentication than the current implementation. The attached patch file is against the 3.0.6 version. Additions: 1. allow the uid and gid used to access a certain module to be determined by the authenticated user - ??? uid = __auth__ will use the auth_user's uid ??? gid = __auth__ will use the auth user's main group's gid 2. seteuid and not just setuid 3. added "rw users" to allow read/write access to a module, "ro users" to allow read only access to a module and "deny users". ??? "read only" on the module overrides the user's authorization. 4. added support for groups - with a '@' prefix. For instance: "auth users = tridge, susan, @rsync_users" Authorization logic: 1. If the ACL contains a user-specific rule that matches the user, then the user is granted rights according to this rule (including denying access if the permission is none). 2. If the ACL contains a group-rule that denies access of a group the user belongs to (permission=none), then access is denied. 3. If the ACL contains a group-rule that grants read/write access to a group the user belongs to, then the user gets read/write access 4. If the ACL contains a group-rule that grants read-only access to a group the user belongs to, then the user gets read-only access 5. The user is authorized access (for backward compatibility with older rsync versions) Please consider commiting this patch for future releases of rsync. Thanks, Amir -------------- next part -------------- A non-text attachment was scrubbed... Name: rsync_auth.patch Type: application/octet-stream Size: 10455 bytes Desc: not available URL: <http://lists.samba.org/pipermail/rsync/attachments/20090826/c7cd1d74/attachment.obj>
A slightly better patch file (removed some warnings). On Wed, Aug 26, 2009 at 5:52 PM, Amir Rapson<amir.rapson at gmail.com> wrote:> Hi, > > I added a few things to allow the rsync daemon?more refined > authorization and authentication than the current implementation. > The attached patch file is against the 3.0.6 version. > > Additions: > 1. allow the uid and gid used to access a certain module to be > determined by the authenticated user - > ??? uid = __auth__ will use the auth_user's uid > ??? gid = __auth__ will use the auth user's main group's gid > > 2. seteuid and not just setuid > > 3. added "rw users" to allow read/write access to a module, "ro users" > to allow read only access to a module and "deny users". > ??? "read only" on the module overrides the user's authorization. > > 4. added support for groups - with a '@' prefix. For instance: "auth > users = tridge, susan, @rsync_users" > > Authorization logic: > 1. If the ACL contains a user-specific rule that matches the user, > then the user is granted rights according to this rule (including > denying access if the permission is none). > 2. If the ACL contains a group-rule that denies access of a group the > user belongs to (permission=none), then access is denied. > 3. If the ACL contains a group-rule that grants read/write access to a > group the user belongs to, then the user gets read/write access > 4. If the ACL contains a group-rule that grants read-only access to a > group the user belongs to, then the user gets read-only access > 5. The user is authorized access (for backward compatibility with > older rsync versions) > > Please consider commiting this patch for future releases of rsync. > > Thanks, > Amir >-------------- next part -------------- A non-text attachment was scrubbed... Name: rsync_auth.patch Type: application/octet-stream Size: 10586 bytes Desc: not available URL: <http://lists.samba.org/pipermail/rsync/attachments/20090830/6d4012fb/attachment.obj>
So, I've tweaked your patch, and you'll find the results in the git version of rsync and (currently) in a patch. Here are some details:> 1. allow the uid and gid used to access a certain module to be > determined by the authenticated user - > ??? uid = __auth__ will use the auth_user's uid > ??? gid = __auth__ will use the auth user's main group's gidI changed this to use a new environment-variable expanding idiom in the config file. So, the above would be written like this: uid = %RSYNC_USER_NAME% gid = * The "*" setting was an already-implemented feature in the git repo which expands into the uid user's groups.> 2. seteuid and not just setuidApplied.> 3. added "rw users" to allow read/write access to a module, "ro users" > to allow read only access to a module and "deny users". "read only" > on the module overrides the user's authorization. > > 4. added support for groups - with a '@' prefix. For instance: "auth > users = tridge, susan, @rsync_users"I changed this to keep a single "auth users" setting, but did not commit it to git (at least, not yet). I created a patch named group-auth.diff, which you can find here: http://gitweb.samba.org/?p=rsync-patches.git;a=tree These patches apply to the current git-repo version of rsync. In the group-auth patch you'll find your @group idiom for specifying a group name (as in your patch, if the username is a real user, that real-user's groups are compared against the @group items). I changed your ro, rw, and deny settings to be specified via suffixes. For example: auth user = joe:deny admin:rw @rsync:ro susan This makes the logic very easy to figure out, since we just match each item in order and go with the first match. That makes the deny suffix's job to override an authorization that would succeed in a later match. In my patch, the module's "read only" setting is the default, and the ro/rw suffix of the first matching rule overrides that value. I also added the ability to put a @group password in the secrets file, so if you define "@rsync:secret", that lets anyone in the rsync group login with that password (a group-matching rule looks for either a user password or a group password, while a user-matching rule only looks for a user password). Potential backward incompatibility: usernames used to be able to start with a @ and (surprisingly, given the syntax of the secrets file) even contain a colon. If anyone likes/dislikes this, please feel free to comment. ..wayne..
On Tue 20 Oct 2009, Wayne Davison wrote:> . I changed > your ro, rw, and deny settings to be specified via suffixes. For > example:> auth user = joe:deny admin:rw @rsync:ro susanNice!> Potential backward incompatibility: usernames used to be able to start > with a @ and (surprisingly, given the syntax of the secrets file) even > contain a colon.A colon would have given problems already in *nix systems, think about chown user:group file...> If anyone likes/dislikes this, please feel free to comment.I like it :) Paul