rsync - Jun 2005 - Root privilege solution

I want to set up RSYNC so it has root privilege on the remote server. I do not
want to run rsync through inetd.
I want to be able to limit who can use rsync when the remote end has root
privilege. I prefer not to use rsync's
internal user/secrets file. I do want to use SSH as the transport shell. With
that in mind, here is what I tried.
I wrapped the rsync single use daemon execution on the remote end with a script
that executes rsync as
root by using the SUDO command. I can then easily control access to root
privileged rsync execution through
the sudoers file, an acceptable security configuration at our site. However.
rsync seems to be having a problem.
I get this message on the local side.

	@ERROR: invalid uid nobody

I would like to figure out why this fails or if there is a better way to
accomplish the same thing.

Here is my wrapper script on the remote side.

	tbcsap01 154 $ cat /var/tmp/rsync.sh
	#!/bin/ksh
	#
	echo "Args $*." > /var/tmp/rsync.op
	pwd             >>  /var/tmp/rsync.op
	env             >>  /var/tmp/rsync.op
	id                      >>  /var/tmp/rsync.op
	/usr/bin/sudo /usr/bin/env >> /var/tmp/rsync.op
	/usr/bin/sudo /usr/bin/id >> /var/tmp/rsync.op
	/usr/bin/sudo /usr/local/bin/rsync --verbose --config=/etc/rsyncd.conf $*

and the config file 

	log file = /var/tmp/rsyncd.log
	pid file = /var/tmp/rsyncd.pid
	lock file = /var/tmp/rsync.lock

	[cluster_files]
	   path = /home/bb/cluster_rsync_test
	   comment = My Very Own Rsync Server
	   read only = false
	        write only = false
	        hosts allow = opsdev.deca.mil
	        max verbosity = 3

Here is the command run on the local side.

	opsdev 290 $ rsync --verbose --progress --stats --rsync-path=/var/tmp/rsync.sh
-e ssh tinsless@tbcsap01::cluster_files
	@ERROR: invalid uid nobody
	rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
	rsync error: error in rsync protocol data stream (code 12) at io.c(420)

Here is the o/p from the wrapper script.

	Args --server --daemon ..
	/nfs/home/tinsless
	_=/usr/bin/env
	PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
	LOGNAME=tinsless
	MAIL=/var/mail/tinsless
	USER=tinsless
	SHELL=/usr/bin/ksh
	HOME=/nfs/home/tinsless
	SSH_CLIENT=172.16.208.14 65476 22
	SSH_CONNECTION=172.16.208.14 65476 172.16.208.41 22
	PWD=/nfs/home/tinsless
	TZ=EST5EDT
	uid=320(tinsless) gid=200(sa) groups=4(adm)
	_=/usr/bin/sudo
	PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
	LOGNAME=root
	MAIL=/var/mail/tinsless
	USER=root
	SHELL=/usr/bin/ksh
	HOME=/nfs/home/tinsless
	SSH_CLIENT=172.16.208.14 65476 22
	SSH_CONNECTION=172.16.208.14 65476 172.16.208.41 22
	PWD=/nfs/home/tinsless
	TZ=EST5EDT
	TERM=unknown
	SUDO_COMMAND=/usr/bin/env
	SUDO_USER=tinsless
	SUDO_UID=320
	SUDO_GID=200
	uid=0(root) gid=3(sys)
groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)

On Mon, Jun 27, 2005 at 01:51:28PM -0400, Tinsley, Scott S. (ManTech) CTR
wrote:
> 	@ERROR: invalid uid nobody
Does your system not have a user "nobody" in the passwd file?  You can
always set the user via the uid option (e.g. "uid = root") so that
rsync
doesn't try to switch to the default user of "nobody".

..wayne..

Turns out "nobody" had been removed from our password files. 

I have used the "uid = " global setting and all appears good.

Last question. Can a daemon version of rsync using the rsyncd.conf file be
configured to only allow access to "modules" and no other part of the
remote side's file system?

Thanks for your help. 

-----Original Message-----
From: Wayne Davison [mailto:wayned@samba.org]
Sent: Tuesday, June 28, 2005 2:23 AM
To: Tinsley, Scott S. (ManTech) CTR
Cc: rsync@lists.samba.org
Subject: Re: Root privilege solution


On Mon, Jun 27, 2005 at 01:51:28PM -0400, Tinsley, Scott S. (ManTech) CTR
wrote:
> 	@ERROR: invalid uid nobody
Does your system not have a user "nobody" in the passwd file?  You can
always set the user via the uid option (e.g. "uid = root") so that
rsync
doesn't try to switch to the default user of "nobody".

..wayne..