On Dec 5, 2007 9:59 PM, Matt McCutchen <[EMAIL PROTECTED]> wrote: > On Tue, 2007-12-04 at 15:59 -0500, Doug Lochart wrote: > > Greetings all. Due to security concerns we are switching our backup > > processes from "SSH tunnel to rsync daemon" to "Running rsync over ssh > > in --server mode". In daemon mode we had a nice conglomerate log file > > of all of the backups that ran. > > > Second Question: So now after talking it out is there a way to get a > > unified server side log for all rsync commands executed without having > > a daemon running? > > What exactly were the security concerns? You might be better served by > running a daemon configured in a way that meets your security needs. > > Matt > > This is something we discovered by accident. We used ssh to create a tunnel using a users ssh key. With this tunnel we were able to access any module defined in the system.
Each module needs to be protected from the others so if a user logs in with their credentials they should not have access to any other module. It would take a user knowing the name of another client to affect the security breach. I admit I am no whiz at securing the rsync server. Once we had it setup to run in daemon mode we assumed the ssh tunnels would provide all that we need. We over looked this one issue however. On the protocol version error I have discovered the problem I am using a validation script as part of rthe ssh key to make sure that only rsync is executed within that shell. The string I was initially testing for was "rsync --server" and when I added the --log-file to my rsyncpath it changed the remote command so that it no longer validated. Evidently it took my response of "Rejected" and tried to convert that to an int for the protocol version. Now I am having another issue and that is passing a log format in the rsync-path. I can see it is coming over but for some reason a defauly --log-format=%o is appended after --server is added by rsync. This effectively overrides the log-format I supplied. How do I stop this default log-format from being appended after --server? Thanks Doug -- What profits a man if he gains the whole world yet loses his soul?
-- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html