Bri Hatch
2022-Mar-12 06:36 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync <rsync at lists.samba.org> wrote:> Rsync includes a script named rrsync that handles this perfectly. >And authprogs provides similar functionality, though you use yaml to define what is/isn't allowed. However it does allow you to use one SSH identity for potentially many different source dirs rather than requiring a separate authorized_key entry for each forced command. example: - rule_type: rsync allow_donwload: true allow_recursive: true paths: - /etc - /srv/freezeray path_startswith: - /srv/web https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules> > On 3/12/22 01:08, Richard Hector via rsync wrote: > > On 12/03/22 18:38, Richard Hector via rsync wrote: > >> And I do my backups (using dirvish) as root, using a key with a forced > >> command. > > > > FWIW, that forced command is here: > > > > https://github.com/rwhector/dirvish-forced-command > > > > It's rather unpolished and undocumented, but comments very welcome :-) > > > > I've also had an issue due to some server-side-only arguments to rsync > > being undocumented, which means I can't validate them, and basically > > have to accept anything ... I'd love to know why this is or has to be > > the case :-) I didn't get any particularly useful answers back in > > January 2019 ... > > > > Cheers, > > Richard > > > > -- > ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., > Kevin Korb Phone: (407) 252-6853 > <http://voice.google.com/calls?a=nc,%2B14072526853> > Systems Administrator Internet: > FutureQuest, Inc. Kevin at FutureQuest.net (work) > Orlando, Florida kmk at sanitarium.net (personal) > Web page: https://sanitarium.net/ > PGP public key available on web site. > ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., > > -- > Please use reply-all for most replies to avoid omitting the mailing list. > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html >-- Bri Hatch "Quite mad, they say. It is good that Zathras does not mind. He's even grown to like it. Oh yes." -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20220311/65e18d39/attachment.htm>
Florian Sager
2022-Mar-12 08:45 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach
Hi, I gave up using rrsync some years ago because of a) potential security issues with path references that can occur within the rsync execution in the call of rrsync b) possibly unmatched rsync options (rrsync must be kept up-to-date to match new options _and_ some options need to be intentionally removed that may be required) So my solution on this is: - a login script (with suid bit in my case) - that creates/starts a docker image that limits path access and maps libs / rsync binary to be available in a limited environment, e.g. "alpine" DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only --rm --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro -v /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro" $DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE $SSH_ORIGINAL_COMMAND 2>/dev/null If anybody sees security problems with this approach please tell us. Best regards Florian Am 12.03.22 um 07:36 schrieb Bri Hatch via rsync:> > > On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync > <rsync at lists.samba.org> wrote: > > Rsync includes a script named rrsync that handles this perfectly. > > > And authprogs provides similar functionality, though you use yaml to > define what is/isn't allowed. However it does allow you to use one SSH > identity for potentially many different source dirs rather than > requiring a separate authorized_key entry for each forced command. > > example: > > - rule_type: rsync > ? ? ? allow_donwload: true > ? ? ? allow_recursive: true > ? ? ? paths: > ? ? ? ? - /etc > ? ? ? ? - /srv/freezeray > ? ? ? path_startswith: > ? ? ? ? - /srv/web > > https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules > > > > On 3/12/22 01:08, Richard Hector via rsync wrote: > > On 12/03/22 18:38, Richard Hector via rsync wrote: > >> And I do my backups (using dirvish) as root, using a key with a > forced > >> command. > > > > FWIW, that forced command is here: > > > > https://github.com/rwhector/dirvish-forced-command > > > > It's rather unpolished and undocumented, but comments very > welcome :-) > > > > I've also had an issue due to some server-side-only arguments to > rsync > > being undocumented, which means I can't validate them, and > basically > > have to accept anything ... I'd love to know why this is or has > to be > > the case :-) I didn't get any particularly useful answers back in > > January 2019 ... > > > > Cheers, > > Richard > > > > -- > ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., > ? ? ? ? Kevin Korb? ? ? ? ? ? ? ? ? ? ? Phone:? ? (407) 252-6853 > ? ? ? ? Systems Administrator? ? ? ? ? ?Internet: > ? ? ? ? FutureQuest, Inc. Kevin at FutureQuest.net? (work) > ? ? ? ? Orlando, Florida kmk at sanitarium.net (personal) > ? ? ? ? Web page: https://sanitarium.net/ > ? ? ? ? PGP public key available on web site. > ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., > > -- > Please use reply-all for most replies to avoid omitting the > mailing list. > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: > http://www.catb.org/~esr/faqs/smart-questions.html > > > > -- > Bri Hatch > > "Quite mad, they say. It is good that Zathras does not mind. He's even > grown > ?to like it. Oh yes." >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.samba.org/pipermail/rsync/attachments/20220312/ee649dc4/attachment.htm>
Richard Hector
2022-Mar-13 00:26 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On 12/03/22 19:36, Bri Hatch via rsync wrote:> On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync > <rsync at lists.samba.org <mailto:rsync at lists.samba.org>> wrote: > > Rsync includes a script named rrsync that handles this perfectly. > > > And authprogs provides similar functionality, though you use yaml to > define what is/isn't allowed.Thanks - I didn't look at this earlier. It looks like a more general alternative to my dirvish one. I'll have to investigate further. Though my use of ansible has given me a general dislike of yaml :-) Cheers, Richard
raf
2022-Mar-13 02:02 UTC
Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On Fri, Mar 11, 2022 at 10:36:49PM -0800, Bri Hatch via rsync <rsync at lists.samba.org> wrote:> On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync <rsync at lists.samba.org> > wrote: > > > Rsync includes a script named rrsync that handles this perfectly. > > And authprogs provides similar functionality, though you use yaml to define > what is/isn't allowed. However it does allow you to use one SSH identity > for potentially many different source dirs rather than requiring a separate > authorized_key entry for each forced command. > > example: > > - rule_type: rsync > allow_donwload: true > allow_recursive: true > paths: > - /etc > - /srv/freezeray > path_startswith: > - /srv/web > > https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrulesAnd there's sshdo as well: https://github.com/raforg/sshdo Like authprogs, it also works with any command, not just rsync. And it almost configures itself with a learning mode to monitor commands that need to be allowed. And it can relearn if commands need to change over time, and unlearn old commands that are no longer needed. cheers, raf