On Sun, 25 Apr 2021 at 17:53, Chris Cowan via rsync
<rsync at lists.samba.org
<https://lists.samba.org/mailman/listinfo/rsync>>
wrote:>>* I?ve also been looking at several solutions that try to sandbox
openssh/rsync. These include rssh (which should not be used anymore, because
it's Abandon-ware. But, it is what I am most familiar with), GNU rush, and
daethnir/authprogs on github. None of these seems to be able to provide me
the control, with rsync, when ?protect-args is used. Unless I?m mistaken, the
filtering has to be done by the rsync --server --sender process itself, since
it's the only thing that has visibility to the filepath passed in the ssh
channel.
*>
> I like to use rsync in daemon mode over ssh for that type of thing,
because:
>
> * you don't need a shim, just make the ssh forced command "rsync
> --server --daemon --config /path/to/some/rsyncd.conf ."
> * the --daemon turns on extra server side security checks
> * you always have --protect-args when in daemon mode
> * you can sandbox the transfer root and other things with settings in
> the rsyncd.conf
>
> Example rsync.conf for allowing reading of /var/lib/{foo,bar} but
> writes to only /var/lib/foo :
>
> use chroot = no
> [foo]
> path = /var/lib/foo
> read only = no
> [bar]
> path = /var/lib/bar
> read only = yes
> On the client side you use the :: syntax to specify a module in an
> rsync daemon along with "-e ssh" to get daemon mode over ssh, for
> example to write to /var/lib/foo/someplace you could:
> rsync -e ssh [OTHER OPTIONS] /tmp/new-foo-things
${hostname}::foo/someplace
I was aware of similar features with sshd_config for sftp, but never
considered this. (Never ran rsync in daemon mode, to be honest). The
other solutions gave me separate control over scp, sftp, svn+ssh, git, etc
....
Will have to read the docs to see what modules are available.
--
Chris Cowan
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20210425/b32ad341/attachment.htm>