Now that I step back and think about it, your needs would be better met by a single-use daemon invoked through SSH. The invoked command line is always "rsync --server --daemon .", so you can force this exact command in authorized_keys instead of using a separate script. (The actual rsync arguments are provided to the daemon on its standard input using the daemon protocol.) You can then use rsyncd.conf to restrict what paths, transfer directions, and options are allowed (see rsyncd.conf(5)). Since the rsync daemon enforces the restrictions after parsing the arguments, you're much less likely to have a security hole than if you try to enforce the restrictions directly from the argument list.
See the section "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION" of rsync(1) for more information. Matt -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
