The only way you could give someone shell access and keep them from using
rsync would be to find a way to prevent their access to any rsync binary
through that shell. Frankly, if they're already in, and can read these
files as themselves, you gain nothing from preventing their use of a
single application, as they can 'rsh host cat /etc/passwd', 'rsh
host "cd
/;tar -cf - ." |dd of=everythingonremotehost.tar',
rlogin to the host and just poke around, whatever. If this is a problem,
then SHUT OFF RSH ACCESS.... oh, and if your network is not secure, that
is, in fact, a problem.
if you don't want people looking at stuff, don't let them have shell
access. If they can't get access to anything on the system except through
your rsync daemon (I'm assuming the rsyncd.conf you referenced before is
in /etc, and you started rsync either by typing 'rsync --daemon' or by
appropriate setup of inetd), you can use the rsyncd.conf to define exactly
what they can and cannot access. If they can rsh, or even telnet, to the
system, they can already read whatever they want.
Tim Conway
conway.tim@sphlihp.com reorder name and reverse domain
303.682.4917 office, 303.921.0301 cell
Philips Semiconductor - Longmont TC
1880 Industrial Circle, Suite D
Longmont, CO 80501
Available via SameTime Connect within Philips, caesupport2 on AIM
"There are some who call me.... Tim?"
"Armin Safarians" <armin.safarians@safeway.com>
10/29/2002 03:23 PM
To: Tim Conway/LMT/SC/PHILIPS@AMEC
cc:
Subject: Re: configuration question.
Classification:
Thank you for the informatoin. That is exactly what I was looking for.
So what I'm to understand is you can get someone shell access but not
rsync ability?
AMS :-)
tim.conway@philips.com wrote:
>Your users have rsh access to the machine, and are getting wherever they
>want, using the server:/path syntax.
>if they were using the server::module syntax, they would be restricted to
>only what's provided by the modules. If you don't want them getting
>everything all over the system, you will need to prevent shell access.
>
>Tim Conway
>conway.tim@sphlihp.com reorder name and reverse domain
>303.682.4917 office, 303.921.0301 cell
>Philips Semiconductor - Longmont TC
>1880 Industrial Circle, Suite D
>Longmont, CO 80501
>Available via SameTime Connect within Philips, caesupport2 on AIM
>"There are some who call me.... Tim?"
>
>
>
>
>"Armin Safarians" <armin.safarians@safeway.com>
>Sent by: rsync-admin@lists.samba.org
>10/29/2002 01:11 PM
>
>
> To: rsync@samba.org
> cc: (bcc: Tim Conway/LMT/SC/PHILIPS)
> Subject: configuration question.
> Classification:
>
>
>
>How do you restrict rsync transfers to only modules in the configuration
>file?
>It seems like even though I have a module configured, users can transfer
>files
>that they had permission to which is not under the directory of the
>module.
>
>I.E.
>modulename
> path=/web
> ...
> ...
> ...
>
>Users can get /etc/passwd from this machine. How do I restrict that.
>
>
>Thanks,
>AMS
>
>
>
>
--
Armin M. Safarians Safeway Inc.
VOICE: 925.944.4246
EMAIL:armin.safarians@Safeway.com
********************************************************
We all stand poised on the brink of greatness
********************************************************
"WorldSecure Server <safeway.com>" made the following
annotations on 10/29/02 15:23:29
------------------------------------------------------------------------------
Warning:
All e-mail sent to this address will be received by the Safeway corporate
e-mail system, and is subject to archival and review by someone other than
the recipient. This e-mail may contain information proprietary to Safeway
and is intended only for the use of the intended recipient(s). If the
reader of this message is not the intended recipient(s), you are notified
that you have received this message in error and that any review,
dissemination, distribution or copying of this message is strictly
prohibited. If you have received this message in error, please notify the
sender immediately.
==============================================================================