Hi,
I gave up using rrsync some years ago because of
a) potential security issues with path references that can occur within
the rsync execution in the call of rrsync
b) possibly unmatched rsync options (rrsync must be kept up-to-date to
match new options _and_ some options need to be intentionally removed
that may be required)
So my solution on this is:
- a login script (with suid bit in my case)
- that creates/starts a docker image that limits path access and maps
libs / rsync binary to be available in a limited environment, e.g. "alpine"
DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only
--rm --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro
-v /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
$DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE
$SSH_ORIGINAL_COMMAND 2>/dev/null
If anybody sees security problems with this approach please tell us.
Best regards
Florian
Am 12.03.22 um 07:36 schrieb Bri Hatch via rsync:
On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync
<rsync@lists.samba.org> wrote:
Rsync includes a script named rrsync that handles this perfectly.
And authprogs provides similar functionality, though you use yaml to
define what is/isn't allowed. However it does allow you to use one SSH
identity for potentially many different source dirs rather than
requiring a separate authorized_key entry for each forced command.
example:
- rule_type: rsync
allow_donwload: true
allow_recursive: true
paths:
- /etc
- /srv/freezeray
path_startswith:
- /srv/web
https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules
On 3/12/22 01:08, Richard Hector via rsync wrote:
> On 12/03/22 18:38, Richard Hector via rsync wrote:
>> And I do my backups (using dirvish) as root, using a key with a
forced
>> command.
>
> FWIW, that forced command is here:
>
> https://github.com/rwhector/dirvish-forced-command
>
> It's rather unpolished and undocumented, but comments very
welcome :-)
>
> I've also had an issue due to some server-side-only arguments to
rsync
> being undocumented, which means I can't validate them, and
basically
> have to accept anything ... I'd love to know why this is or has
to be
> the case :-) I didn't get any particularly useful answers back in
> January 2019 ...
>
> Cheers,
> Richard
>
--
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
Kevin Korb Phone: (407) 252-6853
Systems Administrator Internet:
FutureQuest, Inc. ke...@futurequest.net (work)
Orlando, Florida k...@sanitarium.net (personal)
Web page: https://sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,
--
Please use reply-all for most replies to avoid omitting the
mailing list.
To unsubscribe or change options:
https://lists.samba.org/mailman/listinfo/rsync
Before posting, read:
http://www.catb.org/~esr/faqs/smart-questions.html
--
Bri Hatch
"Quite mad, they say. It is good that Zathras does not mind. He's even
grown
to like it. Oh yes."
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html