Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On Fri, Mar 11, 2022 at 10:36:49PM -0800, Bri Hatch via rsync wrote: > On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync > wrote: > > > Rsync includes a script named rrsync that handles this perfectly. > > And authprogs provides similar functionality, though you use yaml to define > what is/isn't allowed. However it does allow you to use one SSH identity > for potentially many different source dirs rather than requiring a separate > authorized_key entry for each forced command. > > example: > > - rule_type: rsync > allow_donwload: true > allow_recursive: true > paths: > - /etc > - /srv/freezeray > path_startswith: > - /srv/web > > https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules And there's sshdo as well: https://github.com/raforg/sshdo Like authprogs, it also works with any command, not just rsync. And it almost configures itself with a learning mode to monitor commands that need to be allowed. And it can relearn if commands need to change over time, and unlearn old commands that are no longer needed. cheers, raf -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On 12/03/22 19:36, Bri Hatch via rsync wrote: On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync mailto:rsync@lists.samba.org>> wrote: Rsync includes a script named rrsync that handles this perfectly. And authprogs provides similar functionality, though you use yaml to define what is/isn't allowed. Thanks - I didn't look at this earlier. It looks like a more general alternative to my dirvish one. I'll have to investigate further. Though my use of ansible has given me a general dislike of yaml :-) Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Hi there, Thanks for your feedback! > Bear in mind, putting a password in an environment variable can be seen by > other users on the same system with "ps auxwwe". Sure. But in my scenario, the control host is considered a „safe“ developer machine, while the target host is considered the „unsafe“ environment. I use this command on my laptop to deploy to lots of cloud machines – there’s noone other than me on my laptop (hopefully ;-)), but instead, I’d like to keep the target machine configurations as secure as possible (no passwordless sudo, no root login). > The environment variables of a process when it was started are available via > /proc//environ file. So while other users on that system can't see the > environ, every other process running as your target user could. > > Worse, however, your "echo" process puts the password in arguments, and any > local user can see program name and args for all running processes. That's a > no-no. Hm, I’m not sure I understand the implications. The whole password handling happens on the machine where I execute rsync (it’s done in "--rsh" not in "--rsync-path“) – which in my scenario is a developer’s laptop. So it’s not the target users that can see the environment but only my own account on my own developer machine. Plus, I don’t understand what you mean with „putting the password in arguments“. The environment variable expansion happens on my control machine exactly at the time when rsync tries to establish a connection to the target machine by running the shell code from --rsh inside a shell. This will create a subshell for echo and cat where the environment variable is read and written to stdout. stdout is then piped through ssh to the remote machine where "sudo -S" reads it on its stdin. It is never in any argument list. Please correct me if I’m wrong here. Best, Mark smime.p7s Description: S/MIME cryptographic signature -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
The environment variables of a process when it was started are available via /proc//environ file. So while other users on that system can't see the environ, every other process running as your target user could. Worse, however, your "echo" process puts the password in arguments, and any local user can see program name and args for all running processes. That's a no-no. On Sat, Mar 12, 2022 at 2:14 PM Dan Stromberg via rsync < rsync@lists.samba.org> wrote: > > On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync < > rsync@lists.samba.org> wrote: > >> Hi there, hi past me, >> >> > My (non-working) attempt: >> > […] >> > So it seems the "-l" is dropped into the void letting ssh assume USER >> was the target host? I don’t actually get what I can do. >> >> Turns out, I have to write down the description of my issue and then send >> the email before I magically understand the solution ;-) >> >> Here’s a working example that does not need a wrapper script: >> >> PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c >> "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"' >> --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR >> >> The trick was actually to add "$0" because $* will drop the first >> argument from the list as this typically is the name of the script itself >> (duh!). >> >> Hope this is of help to anyone, >> > > Cool, glad you found a solution you're happy with. > > Bear in mind, putting a password in an environment variable can be seen by > other users on the same system with "ps auxwwe". > > -- > Please use reply-all for most replies to avoid omitting the mailing list. > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/rsync > Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html > -- Bri Hatch "Quite mad, they say. It is good that Zathras does not mind. He's even grown to like it. Oh yes." -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync < rsync@lists.samba.org> wrote: > Hi there, hi past me, > > > My (non-working) attempt: > > […] > > So it seems the "-l" is dropped into the void letting ssh assume USER > was the target host? I don’t actually get what I can do. > > Turns out, I have to write down the description of my issue and then send > the email before I magically understand the solution ;-) > > Here’s a working example that does not need a wrapper script: > > PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c > "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"' > --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR > > The trick was actually to add "$0" because $* will drop the first argument > from the list as this typically is the name of the script itself (duh!). > > Hope this is of help to anyone, > Cool, glad you found a solution you're happy with. Bear in mind, putting a password in an environment variable can be seen by other users on the same system with "ps auxwwe". -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Hi there, hi past me, > My (non-working) attempt: > […] > So it seems the "-l" is dropped into the void letting ssh assume USER was the > target host? I don’t actually get what I can do. Turns out, I have to write down the description of my issue and then send the email before I magically understand the solution ;-) Here’s a working example that does not need a wrapper script: PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"' --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR The trick was actually to add "$0" because $* will drop the first argument from the list as this typically is the name of the script itself (duh!). Hope this is of help to anyone, Mark smime.p7s Description: S/MIME cryptographic signature -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Hi everyone, Thanks for all the ideas! Meanwhile, I’ve made some progress because there was another answer on "ask ubuntu" that got absolutely no interaction but that is a brilliant solution: https://askubuntu.com/a/1263657 : > just create a wrapper script for the ssh command. > ssh_sudo: > { > echo $PASSWORD; > cat - ; > } | ssh $* & > > At first, this passes the password to the ssh client's sudo process in order > to start rsync on the remote side. Next all input coming from the local rsync > is piped to ssh. > Finally call rsync e.g. with: > PASSWORD= rsync -avzue ssh_sudo --rsync-path "sudo -S rsync" SRC DST > > I guess the security aspect here is not that bad, you'll only have to save > the password locally as env var. Reading it from a file should work as well... As it doesn’t need an argpass-script on the target side, but uses a wrapper for ssh on the HOST side to inject the password from an environment variable, it’s pretty convenient for my use case. Plus, there’s the added bonus of not having the password logged anywhere. Ideally, I would now like to get rid of the helper script, so it’s a single rsync command that is left. I’m struggling with this but there’ll hopefully be some bash quoting wizards that can tell me where the issue is. My (non-working) attempt: PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $* &"' --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR This get’s mangled by rsync in some non-working way, but I actually don’t understand enough of shell magic to solve this: opening connection using: /bin/sh -c "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $* &" -l USER HOST "sudo -S rsync" --server -vvvlDtrze.iLsfxCIvu "--log-format=%i" --delete-after --delay-updates . DESTDIR (14 args) ssh: Could not resolve hostname USER: nodename nor servname provided, or not known rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: error in rsync protocol data stream (code 12) at io.c(228) [sender=3.2.3] So it seems the "-l" is dropped into the void letting ssh assume USER was the target host? I don’t actually get what I can do. Anyway, I think the original answer on "ask ubuntu" is quite helpful. Unfortunately, I don’t have enough „reputation points“ to upvote the answer nor to comment … Happy syncing, Mark smime.p7s Description: S/MIME cryptographic signature -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Restriction enforcement
On Tue, Mar 8, 2022 at 7:15 AM Hove, K.W. van (Koen, Student M-CS) via rsync wrote: > I noticed that --max-size, --min-size, --exclude, and --include are only > sent by the client as a "request" to the server, and that if the server for > some reason chooses to ignore those options and include those files in the > file list anyway, the client will happily run with it. That is not based on client & server but rather sender & receiver. The sender gets the filter (include/exclude) commands so that it can trim the list it sends, but the client uses the min/max size values to figure out which files it wants to request. The client only uses the filter rules if it is running deletion commands. The daemon has a bit more paranoia, with an extra filter list that is consulted on both the sending & receiving side. So, one simple change that could be done would be to tweak generator.c & receiver.c and add in filter checks of the main filter_list where it is checking the daemon_filter_list. So, for the most part, rsync expects each side to do their job and doesn't double-check non-security things (it does security-check that the file list hasn't gone outside the request's bounds and that it doesn't leverage a symlink as a way to escape the hierarchy, for instance). There is also the problem that the generator has no direct way to tell the receiver what it is doing (given the big loop of information from generator to sender to receiver) so a rogue sender could be written to send files that the generator didn't request. ..wayne.. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach
Hi, I gave up using rrsync some years ago because of a) potential security issues with path references that can occur within the rsync execution in the call of rrsync b) possibly unmatched rsync options (rrsync must be kept up-to-date to match new options _and_ some options need to be intentionally removed that may be required) So my solution on this is: - a login script (with suid bit in my case) - that creates/starts a docker image that limits path access and maps libs / rsync binary to be available in a limited environment, e.g. "alpine" DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only --rm --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro -v /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro" $DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE $SSH_ORIGINAL_COMMAND 2>/dev/null If anybody sees security problems with this approach please tell us. Best regards Florian Am 12.03.22 um 07:36 schrieb Bri Hatch via rsync: On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync wrote: Rsync includes a script named rrsync that handles this perfectly. And authprogs provides similar functionality, though you use yaml to define what is/isn't allowed. However it does allow you to use one SSH identity for potentially many different source dirs rather than requiring a separate authorized_key entry for each forced command. example: - rule_type: rsync allow_donwload: true allow_recursive: true paths: - /etc - /srv/freezeray path_startswith: - /srv/web https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules On 3/12/22 01:08, Richard Hector via rsync wrote: > On 12/03/22 18:38, Richard Hector via rsync wrote: >> And I do my backups (using dirvish) as root, using a key with a forced >> command. > > FWIW, that forced command is here: > > https://github.com/rwhector/dirvish-forced-command > > It's rather unpolished and undocumented, but comments very welcome :-) > > I've also had an issue due to some server-side-only arguments to rsync > being undocumented, which means I can't validate them, and basically > have to accept anything ... I'd love to know why this is or has to be > the case :-) I didn't get any particularly useful answers back in > January 2019 ... > > Cheers, > Richard > -- ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., Kevin Korb Phone: (407) 252-6853 Systems Administrator Internet: FutureQuest, Inc. ke...@futurequest.net (work) Orlando, Florida k...@sanitarium.net (personal) Web page: https://sanitarium.net/ PGP public key available on web site. ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html -- Bri Hatch "Quite mad, they say. It is good that Zathras does not mind. He's even grown to like it. Oh yes." -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
Also, it appears that it requires the allowed directory to be specified in authorized_keys. Mine uses an external list of allowed directories, so I don't need lots of lines (and separate keys?) in authorized_keys in order to deal with the several directories I back up per host. Cheers, Richard On 12/03/22 21:01, Richard Hector via rsync wrote: It may do the job; it doesn't AFAIK explain why the options are undocumented :-) Cheers, Richard On 12/03/22 19:22, Kevin Korb via rsync wrote: Rsync includes a script named rrsync that handles this perfectly. On 3/12/22 01:08, Richard Hector via rsync wrote: On 12/03/22 18:38, Richard Hector via rsync wrote: And I do my backups (using dirvish) as root, using a key with a forced command. FWIW, that forced command is here: https://github.com/rwhector/dirvish-forced-command It's rather unpolished and undocumented, but comments very welcome :-) I've also had an issue due to some server-side-only arguments to rsync being undocumented, which means I can't validate them, and basically have to accept anything ... I'd love to know why this is or has to be the case :-) I didn't get any particularly useful answers back in January 2019 ... Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers
It may do the job; it doesn't AFAIK explain why the options are undocumented :-) Cheers, Richard On 12/03/22 19:22, Kevin Korb via rsync wrote: Rsync includes a script named rrsync that handles this perfectly. On 3/12/22 01:08, Richard Hector via rsync wrote: On 12/03/22 18:38, Richard Hector via rsync wrote: And I do my backups (using dirvish) as root, using a key with a forced command. FWIW, that forced command is here: https://github.com/rwhector/dirvish-forced-command It's rather unpolished and undocumented, but comments very welcome :-) I've also had an issue due to some server-side-only arguments to rsync being undocumented, which means I can't validate them, and basically have to accept anything ... I'd love to know why this is or has to be the case :-) I didn't get any particularly useful answers back in January 2019 ... Cheers, Richard -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html