On Thu, Feb 03, 2005 at 02:01:28PM -0800, Jeremy Hansen wrote: > use --rsh="ssh -l username", that the rsync server is ignore my > rsyncd.conf uid and gid directives.
Correct. Normal users don't have unix permissions to change to another user, so rsync assumes that if you're not root (UID 0), you can't setuid(). If you're trying to limit what remote hosts can connect, the best solution is probably to go back to using a daemon and adding a "hosts allow" value of "127.0.0.1" so that the only connections it allows are from localhost. Then, your remote users would use ssh to tunnel into the machine and connect: ssh -fN -L 8873:localhost:873 -l joeuser filedrop rsync -av foo.txt --port 8873 localhost::repository/ (If you connect via ssh1, dump the -N option and specify a "sleep 30" command.) All the users on the same remote machine can make use of the port-8873 connection to filedrop's port 873. If instead you were trying to provide different permissions to different users based on who they logged in as via ssh, you'll need to come up with something custom for that. For instance, if you created a wrapper program that would only execute a hard-wired rsync command based on the who the current user was, you could set the "setuid" bit on the executable, and it would then run rsync with root permissions. Whether that would be secure enough for your system depends on how you feel about setuid-bit programs and also on how well you code up the exec logic (making sure that it can't try to run arbitrary programs, for instance). ..wayne.. -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
