Hi!
I am doing backups from a number of machines to an rsync server. For some
time I was trying to come up with a solution, which would prevent users
from peeking at each other's files, which are backed up. Finally, I've
hacked rsync, introducing a new option "write only" for rsyncd.conf.
When
set to true, this option forbids the transfers from server to the client,
thus solving my problems. Below is a patch against rsync-2.5.2 which
implements those changes. Hopefully, somebody else will find it useful. I
apologize, if that's the wrong list to post such stuff.
--Cut here----------------------------------------------------------------
diff -urN rsync-2.5.2.orig/loadparm.c rsync-2.5.2/loadparm.c
--- rsync-2.5.2.orig/loadparm.c Sun Dec 2 09:16:15 2001
+++ rsync-2.5.2/loadparm.c Sat Feb 23 13:48:12 2002
@@ -117,6 +117,7 @@
char *comment;
char *lock_file;
BOOL read_only;
+ BOOL write_only;
BOOL list;
BOOL use_chroot;
BOOL transfer_logging;
@@ -149,6 +150,7 @@
NULL, /* comment */
DEFAULT_LOCK_FILE, /* lock file */
True, /* read only */
+ False, /* write only */
True, /* list */
True, /* use chroot */
False, /* transfer logging */
@@ -265,6 +267,7 @@
{"lock file", P_STRING, P_LOCAL, &sDefault.lock_file,
NULL, 0},
{"path", P_STRING, P_LOCAL, &sDefault.path,
NULL, 0},
{"read only", P_BOOL, P_LOCAL, &sDefault.read_only,
NULL, 0},
+ {"write only", P_BOOL, P_LOCAL, &sDefault.write_only,
NULL, 0},
{"list", P_BOOL, P_LOCAL, &sDefault.list,
NULL, 0},
{"use chroot", P_BOOL, P_LOCAL, &sDefault.use_chroot,
NULL, 0},
{"ignore nonreadable",P_BOOL, P_LOCAL,
&sDefault.ignore_nonreadable, NULL, 0},
@@ -342,6 +345,7 @@
FN_LOCAL_STRING(lp_path, path)
FN_LOCAL_STRING(lp_lock_file, lock_file)
FN_LOCAL_BOOL(lp_read_only, read_only)
+FN_LOCAL_BOOL(lp_write_only, write_only)
FN_LOCAL_BOOL(lp_list, list)
FN_LOCAL_BOOL(lp_use_chroot, use_chroot)
FN_LOCAL_BOOL(lp_transfer_logging, transfer_logging)
diff -urN rsync-2.5.2.orig/main.c rsync-2.5.2/main.c
--- rsync-2.5.2.orig/main.c Fri Jan 25 11:07:41 2002
+++ rsync-2.5.2/main.c Sat Feb 23 13:49:38 2002
@@ -306,10 +306,19 @@
extern int relative_paths;
extern int recurse;
extern int remote_version;
+ extern int am_daemon;
+ extern int module_id;
+ extern int am_sender;
if (verbose > 2)
rprintf(FINFO,"server_sender starting pid=%d\n",(int)getpid());
+ if (am_daemon && lp_write_only(module_id) && am_sender) {
+ rprintf(FERROR,"ERROR: module is write only\n");
+ exit_cleanup(RERR_SYNTAX);
+ return;
+ }
+
if (!relative_paths && !push_dir(dir, 0)) {
rprintf(FERROR,"push_dir %s: %s (3)\n",dir,strerror(errno));
exit_cleanup(RERR_FILESELECT);
diff -urN rsync-2.5.2.orig/proto.h rsync-2.5.2/proto.h
--- rsync-2.5.2.orig/proto.h Sat Jan 26 00:07:33 2002
+++ rsync-2.5.2/proto.h Sat Feb 23 13:48:12 2002
@@ -125,6 +125,7 @@
char *lp_path(int );
char *lp_lock_file(int );
BOOL lp_read_only(int );
+BOOL lp_write_only(int );
BOOL lp_list(int );
BOOL lp_use_chroot(int );
BOOL lp_transfer_logging(int );
--Cut here----------------------------------------------------------------
Best regards,
Jurij.
It seems to me that there must be a more fundamental problem with the security model of that backup system if users had the ability to read each other's files. Even with a "write only" option, they can overwrite each other's files, right? What if somebody overwrite a crucial file in somebody else's area, and that file gets restored from backup? I think a better solution would be to ensure that only the root user has any access to the backup area, probably by using a "secrets file" and a --password-file that's readable only by root, or better yet use ssh and public/private key pair. - Dave Dykstra On Sat, Feb 23, 2002 at 02:14:57PM +0100, Jurij Smakov wrote:> Hi! > > I am doing backups from a number of machines to an rsync server. For some > time I was trying to come up with a solution, which would prevent users > from peeking at each other's files, which are backed up. Finally, I've > hacked rsync, introducing a new option "write only" for rsyncd.conf. When > set to true, this option forbids the transfers from server to the client, > thus solving my problems. Below is a patch against rsync-2.5.2 which > implements those changes. Hopefully, somebody else will find it useful. I > apologize, if that's the wrong list to post such stuff. > > --Cut here---------------------------------------------------------------- > diff -urN rsync-2.5.2.orig/loadparm.c rsync-2.5.2/loadparm.c > --- rsync-2.5.2.orig/loadparm.c Sun Dec 2 09:16:15 2001 > +++ rsync-2.5.2/loadparm.c Sat Feb 23 13:48:12 2002 > @@ -117,6 +117,7 @@ > char *comment; > char *lock_file; > BOOL read_only; > + BOOL write_only; > BOOL list; > BOOL use_chroot; > BOOL transfer_logging; > @@ -149,6 +150,7 @@ > NULL, /* comment */ > DEFAULT_LOCK_FILE, /* lock file */ > True, /* read only */ > + False, /* write only */ > True, /* list */ > True, /* use chroot */ > False, /* transfer logging */ > @@ -265,6 +267,7 @@ > {"lock file", P_STRING, P_LOCAL, &sDefault.lock_file, NULL, 0}, > {"path", P_STRING, P_LOCAL, &sDefault.path, NULL, 0}, > {"read only", P_BOOL, P_LOCAL, &sDefault.read_only, NULL, 0}, > + {"write only", P_BOOL, P_LOCAL, &sDefault.write_only, NULL, 0}, > {"list", P_BOOL, P_LOCAL, &sDefault.list, NULL, 0}, > {"use chroot", P_BOOL, P_LOCAL, &sDefault.use_chroot, NULL, 0}, > {"ignore nonreadable",P_BOOL, P_LOCAL, &sDefault.ignore_nonreadable, NULL, 0}, > @@ -342,6 +345,7 @@ > FN_LOCAL_STRING(lp_path, path) > FN_LOCAL_STRING(lp_lock_file, lock_file) > FN_LOCAL_BOOL(lp_read_only, read_only) > +FN_LOCAL_BOOL(lp_write_only, write_only) > FN_LOCAL_BOOL(lp_list, list) > FN_LOCAL_BOOL(lp_use_chroot, use_chroot) > FN_LOCAL_BOOL(lp_transfer_logging, transfer_logging) > diff -urN rsync-2.5.2.orig/main.c rsync-2.5.2/main.c > --- rsync-2.5.2.orig/main.c Fri Jan 25 11:07:41 2002 > +++ rsync-2.5.2/main.c Sat Feb 23 13:49:38 2002 > @@ -306,10 +306,19 @@ > extern int relative_paths; > extern int recurse; > extern int remote_version; > + extern int am_daemon; > + extern int module_id; > + extern int am_sender; > > if (verbose > 2) > rprintf(FINFO,"server_sender starting pid=%d\n",(int)getpid()); > > + if (am_daemon && lp_write_only(module_id) && am_sender) { > + rprintf(FERROR,"ERROR: module is write only\n"); > + exit_cleanup(RERR_SYNTAX); > + return; > + } > + > if (!relative_paths && !push_dir(dir, 0)) { > rprintf(FERROR,"push_dir %s: %s (3)\n",dir,strerror(errno)); > exit_cleanup(RERR_FILESELECT); > diff -urN rsync-2.5.2.orig/proto.h rsync-2.5.2/proto.h > --- rsync-2.5.2.orig/proto.h Sat Jan 26 00:07:33 2002 > +++ rsync-2.5.2/proto.h Sat Feb 23 13:48:12 2002 > @@ -125,6 +125,7 @@ > char *lp_path(int ); > char *lp_lock_file(int ); > BOOL lp_read_only(int ); > +BOOL lp_write_only(int ); > BOOL lp_list(int ); > BOOL lp_use_chroot(int ); > BOOL lp_transfer_logging(int ); > --Cut here---------------------------------------------------------------- > > Best regards, > > Jurij. > > > > -- > To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html
Alternatively, if the users need to do the writing themselves
(checkpointing a project, for instance), you should set aside a seperate
module for each one. It will be a hassle for you to take care of the
passwords, and they will be stored in plain text, though (one hopes)
secure. If they're like most users, explaining ssh might take up the rest
of the time from now until the sun cools.
Tim Conway
tim.conway@philips.com
303.682.4917
Philips Semiconductor - Longmont TC
1880 Industrial Circle, Suite D
Longmont, CO 80501
Available via SameTime Connect within Philips, n9hmg on AIM
perl -e 'print pack(nnnnnnnnnnnn,
19061,29556,8289,28271,29800,25970,8304,25970,27680,26721,25451,25970),
".\n" '
"There are some who call me.... Tim?"
Dave Dykstra <dwd@bell-labs.com>
Sent by: rsync-admin@lists.samba.org
02/25/2002 11:10 AM
To: Jurij Smakov <jurij.smakov@telia.com>
cc: rsync@lists.samba.org
(bcc: Tim Conway/LMT/SC/PHILIPS)
Subject: Re: Write-only option
Classification:
It seems to me that there must be a more fundamental problem with the
security model of that backup system if users had the ability to read each
other's files. Even with a "write only" option, they can
overwrite each
other's files, right? What if somebody overwrite a crucial file in
somebody else's area, and that file gets restored from backup? I think a
better solution would be to ensure that only the root user has any access
to the backup area, probably by using a "secrets file" and a
--password-file
that's readable only by root, or better yet use ssh and public/private key
pair.
- Dave Dykstra
On Sat, Feb 23, 2002 at 02:14:57PM +0100, Jurij Smakov
wrote:> Hi!
>
> I am doing backups from a number of machines to an rsync server. For
some> time I was trying to come up with a solution, which would prevent users
> from peeking at each other's files, which are backed up. Finally,
I've
> hacked rsync, introducing a new option "write only" for
rsyncd.conf.
When> set to true, this option forbids the transfers from server to the
client,> thus solving my problems. Below is a patch against rsync-2.5.2 which
> implements those changes. Hopefully, somebody else will find it useful.
I> apologize, if that's the wrong list to post such stuff.
>
> --Cut
here----------------------------------------------------------------> diff -urN rsync-2.5.2.orig/loadparm.c rsync-2.5.2/loadparm.c
> --- rsync-2.5.2.orig/loadparm.c Sun Dec 2 09:16:15 2001
> +++ rsync-2.5.2/loadparm.c Sat Feb 23 13:48:12 2002
> @@ -117,6 +117,7 @@
> char *comment;
> char *lock_file;
> BOOL read_only;
> + BOOL write_only;
> BOOL list;
> BOOL use_chroot;
> BOOL transfer_logging;
> @@ -149,6 +150,7 @@
> NULL, /* comment */
> DEFAULT_LOCK_FILE, /* lock file */
> True, /* read only */
> + False, /* write only */
> True, /* list */
> True, /* use chroot */
> False, /* transfer logging */
> @@ -265,6 +267,7 @@
> {"lock file", P_STRING, P_LOCAL,
&sDefault.lock_file, NULL,
0},> {"path", P_STRING, P_LOCAL, &sDefault.path,
NULL, 0},
> {"read only", P_BOOL, P_LOCAL,
&sDefault.read_only, NULL,
0},> + {"write only", P_BOOL, P_LOCAL,
&sDefault.write_only, NULL,
0},> {"list", P_BOOL, P_LOCAL, &sDefault.list,
NULL, 0},
> {"use chroot", P_BOOL, P_LOCAL,
&sDefault.use_chroot, NULL,
0},> {"ignore nonreadable",P_BOOL, P_LOCAL,
&sDefault.ignore_nonreadable, NULL, 0},> @@ -342,6 +345,7 @@
> FN_LOCAL_STRING(lp_path, path)
> FN_LOCAL_STRING(lp_lock_file, lock_file)
> FN_LOCAL_BOOL(lp_read_only, read_only)
> +FN_LOCAL_BOOL(lp_write_only, write_only)
> FN_LOCAL_BOOL(lp_list, list)
> FN_LOCAL_BOOL(lp_use_chroot, use_chroot)
> FN_LOCAL_BOOL(lp_transfer_logging, transfer_logging)
> diff -urN rsync-2.5.2.orig/main.c rsync-2.5.2/main.c
> --- rsync-2.5.2.orig/main.c Fri Jan 25 11:07:41 2002
> +++ rsync-2.5.2/main.c Sat Feb 23 13:49:38 2002
> @@ -306,10 +306,19 @@
> extern int relative_paths;
> extern int recurse;
> extern int remote_version;
> + extern int am_daemon;
> + extern int module_id;
> + extern int am_sender;
>
> if (verbose > 2)
> rprintf(FINFO,"server_sender starting
pid=%d\n",(int)getpid());>
> + if (am_daemon && lp_write_only(module_id) &&
am_sender) {
> + rprintf(FERROR,"ERROR: module is write
only\n");> + exit_cleanup(RERR_SYNTAX);
> + return;
> + }
> +
> if (!relative_paths && !push_dir(dir, 0)) {
> rprintf(FERROR,"push_dir %s: %s
(3)\n",dir,strerror(errno));> exit_cleanup(RERR_FILESELECT);
> diff -urN rsync-2.5.2.orig/proto.h rsync-2.5.2/proto.h
> --- rsync-2.5.2.orig/proto.h Sat Jan 26 00:07:33 2002
> +++ rsync-2.5.2/proto.h Sat Feb 23 13:48:12 2002
> @@ -125,6 +125,7 @@
> char *lp_path(int );
> char *lp_lock_file(int );
> BOOL lp_read_only(int );
> +BOOL lp_write_only(int );
> BOOL lp_list(int );
> BOOL lp_use_chroot(int );
> BOOL lp_transfer_logging(int );
> --Cut
here---------------------------------------------------------------->
> Best regards,
>
> Jurij.
>
>
>
> --
> To unsubscribe or change options:
http://lists.samba.org/mailman/listinfo/rsync> Before posting, read:
http://www.tuxedo.org/~esr/faqs/smart-questions.html
--
To unsubscribe or change options:
http://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.tuxedo.org/~esr/faqs/smart-questions.html