On Thu, Feb 03, 2005 at 02:01:28PM -0800, Jeremy Hansen
wrote:> use --rsh="ssh -l username", that the rsync server is ignore my
> rsyncd.conf uid and gid directives.
Correct. Normal users don't have unix permissions to change to another
user, so rsync assumes that if you're not root (UID 0), you can't
setuid().
If you're trying to limit what remote hosts can connect, the best
solution is probably to go back to using a daemon and adding a "hosts
allow" value of "127.0.0.1" so that the only connections it
allows are
from localhost. Then, your remote users would use ssh to tunnel into
the machine and connect:
ssh -fN -L 8873:localhost:873 -l joeuser filedrop
rsync -av foo.txt --port 8873 localhost::repository/
(If you connect via ssh1, dump the -N option and specify a "sleep 30"
command.) All the users on the same remote machine can make use of the
port-8873 connection to filedrop's port 873.
If instead you were trying to provide different permissions to different
users based on who they logged in as via ssh, you'll need to come up
with something custom for that. For instance, if you created a wrapper
program that would only execute a hard-wired rsync command based on the
who the current user was, you could set the "setuid" bit on the
executable, and it would then run rsync with root permissions. Whether
that would be secure enough for your system depends on how you feel
about setuid-bit programs and also on how well you code up the exec
logic (making sure that it can't try to run arbitrary programs, for
instance).
..wayne..