Doug, you might have figured some of this out already but I want to make sure you are fully informed:
On Fri, 2007-12-07 at 14:29 -0500, Doug Lochart wrote: > I am going to take this approach and mix it with something else I > thought of but I still have a few questions. I am playing with am > rsync_wrapper script that makes sure that only rsync commands are > executed within the SSH shell. I adapted the one on the rsync site. > You mention "each user's forced command". When you say this are you > referring to the client side rsync command OR forcing the issue within > an rsync_wrapper script? I was referring to the command=... value in the ssh authorized keys file or, equivalently, the command forced in the rsync_wrapper script. > What I really would like to do is remove some of the stuff on the > client side and simply embellish the server side rsync command within > the rsync_wrapper. I would also like to point the server to the > rsync module for that client . Right... > So basically if this acme across to in SSH_ORIGINAL_COMMAND for user > foo > > rsync --log-file=/tmp/rlog --server -vlogDtpr --log-format=% > o . /data/foo > > I would manipulate the command to do this: > > rsync --log-file=/tmp/rlog --daemon --server -vlogDtpr > --config=/home/foo/rsyncd.conf --log-format=%o . /data/foo > > Can this be done OR do you recommend passing the --daemon in the > --rsync-path option from the client? In daemon mode, the options are sent in the data stream instead of on the command line. The SSH_ORIGINAL_COMMAND will be simply: rsync <RSYNC-PATH-STUFF-IF-ANY> --daemon --server . All your wrapper script has to do is run: rsync --daemon --server --config=/home/foo/rsyncd.conf . No --rsync-path option on the client is needed, and the wrapper script should run the command above as-is regardless of any extra options a malicious client might put in the SSH_ORIGINAL_COMMAND via --rsync-path. As you can see, this is much cleaner than a plain-server setup. Matt -- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html