Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread raf via rsync
On Fri, Mar 11, 2022 at 10:36:49PM -0800, Bri Hatch via rsync 
 wrote:

> On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
> wrote:
> 
> > Rsync includes a script named rrsync that handles this perfectly.
> 
> And authprogs provides similar functionality, though you use yaml to define
> what is/isn't allowed. However it does allow you to use one SSH identity
> for potentially many different source dirs rather than requiring a separate
> authorized_key entry for each forced command.
> 
> example:
> 
> - rule_type: rsync
>   allow_donwload: true
>   allow_recursive: true
>   paths:
> - /etc
> - /srv/freezeray
>   path_startswith:
> - /srv/web
> 
> https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules

And there's sshdo as well: https://github.com/raforg/sshdo
Like authprogs, it also works with any command, not just rsync.
And it almost configures itself with a learning mode to monitor
commands that need to be allowed. And it can relearn if commands
need to change over time, and unlearn old commands that are no
longer needed.

cheers,
raf


-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Richard Hector via rsync

On 12/03/22 19:36, Bri Hatch via rsync wrote:
On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
mailto:rsync@lists.samba.org>> wrote:


Rsync includes a script named rrsync that handles this perfectly.


And authprogs provides similar functionality, though you use yaml to 
define what is/isn't allowed.


Thanks - I didn't look at this earlier. It looks like a more general 
alternative to my dirvish one. I'll have to investigate further.


Though my use of ansible has given me a general dislike of yaml :-)

Cheers,
Richard

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dr. Mark Asbach via rsync
Hi there,

Thanks for your feedback!

> Bear in mind, putting a password in an environment variable can be seen by 
> other users on the same system with "ps auxwwe".


Sure. But in my scenario, the control host is considered a „safe“ developer 
machine, while the target host is considered the „unsafe“ environment. I use 
this command on my laptop to deploy to lots of cloud machines – there’s noone 
other than me on my laptop (hopefully ;-)), but instead, I’d like to keep the 
target machine configurations as secure as possible (no passwordless sudo, no 
root login).

> The environment variables of a process when it was started are available via 
> /proc//environ file. So while other users on that system can't see the 
> environ, every other process running as your target user could.
>
> Worse, however, your "echo" process puts the password in arguments, and any 
> local user can see program name and args for all running processes. That's a 
> no-no.

Hm, I’m not sure I understand the implications. The whole password handling 
happens on the machine where I execute rsync (it’s done in "--rsh" not in 
"--rsync-path“) – which in my scenario is a developer’s laptop. So it’s not the 
target users that can see the environment but only my own account on my own 
developer machine.

Plus, I don’t understand what you mean with „putting the password in 
arguments“. The environment variable expansion happens on my control machine 
exactly at the time when rsync tries to establish a connection to the target 
machine by running the shell code from --rsh inside a shell. This will create a 
subshell for echo and cat where the environment variable is read and written to 
stdout. stdout is then piped through ssh to the remote machine where "sudo -S" 
reads it on its stdin. It is never in any argument list.

Please correct me if I’m wrong here.

Best,
Mark

smime.p7s
Description: S/MIME cryptographic signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Bri Hatch via rsync
The environment variables of a process when it was started are available
via /proc//environ file. So while other users on that system can't see
the environ, every other process running as your target user could.

Worse, however, your "echo" process puts the password in arguments, and any
local user can see program name and args for all running processes. That's
a no-no.



On Sat, Mar 12, 2022 at 2:14 PM Dan Stromberg via rsync <
rsync@lists.samba.org> wrote:

>
> On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync <
> rsync@lists.samba.org> wrote:
>
>> Hi there, hi past me,
>>
>> > My (non-working) attempt:
>> > […]
>> > So it seems the "-l" is dropped into the void letting ssh assume USER
>> was the target host? I don’t actually get what I can do.
>>
>> Turns out, I have to write down the description of my issue and then send
>> the email before I magically understand the solution ;-)
>>
>> Here’s a working example that does not need a wrapper script:
>>
>> PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c
>> "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"'
>> --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR
>>
>> The trick was actually to add "$0" because $* will drop the first
>> argument from the list as this typically is the name of the script itself
>> (duh!).
>>
>> Hope this is of help to anyone,
>>
>
> Cool, glad you found a solution you're happy with.
>
> Bear in mind, putting a password in an environment variable can be seen by
> other users on the same system with "ps auxwwe".
>
> --
> Please use reply-all for most replies to avoid omitting the mailing list.
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/rsync
> Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
>


-- 
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even grown
 to like it. Oh yes."
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dan Stromberg via rsync
On Sat, Mar 12, 2022 at 12:23 PM Dr. Mark Asbach via rsync <
rsync@lists.samba.org> wrote:

> Hi there, hi past me,
>
> > My (non-working) attempt:
> > […]
> > So it seems the "-l" is dropped into the void letting ssh assume USER
> was the target host? I don’t actually get what I can do.
>
> Turns out, I have to write down the description of my issue and then send
> the email before I magically understand the solution ;-)
>
> Here’s a working example that does not need a wrapper script:
>
> PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c
> "{ echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"'
> --rsync-path='sudo -S rsync‘ ./SRCDIR USER@HOST:DSTDIR
>
> The trick was actually to add "$0" because $* will drop the first argument
> from the list as this typically is the name of the script itself (duh!).
>
> Hope this is of help to anyone,
>

Cool, glad you found a solution you're happy with.

Bear in mind, putting a password in an environment variable can be seen by
other users on the same system with "ps auxwwe".
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dr. Mark Asbach via rsync
Hi there, hi past me,

> My (non-working) attempt:
> […]
> So it seems the "-l" is dropped into the void letting ssh assume USER was the 
> target host? I don’t actually get what I can do.

Turns out, I have to write down the description of my issue and then send the 
email before I magically understand the solution ;-)

Here’s a working example that does not need a wrapper script:

PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c "{ 
echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $0 $* &"' --rsync-path='sudo 
-S rsync‘ ./SRCDIR USER@HOST:DSTDIR

The trick was actually to add "$0" because $* will drop the first argument from 
the list as this typically is the name of the script itself (duh!).

Hope this is of help to anyone,
Mark

smime.p7s
Description: S/MIME cryptographic signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Dr. Mark Asbach via rsync
Hi everyone,

Thanks for all the ideas! Meanwhile, I’ve made some progress because there was 
another answer on "ask ubuntu" that got absolutely no interaction but that is a 
brilliant solution:

https://askubuntu.com/a/1263657 :

> just create a wrapper script for the ssh command.
> ssh_sudo:
> {
>   echo $PASSWORD;
>   cat - ;
> } | ssh $* &
>
> At first, this passes the password to the ssh client's sudo process in order 
> to start rsync on the remote side. Next all input coming from the local rsync 
> is piped to ssh.
> Finally call rsync e.g. with:
> PASSWORD= rsync -avzue ssh_sudo --rsync-path "sudo -S rsync" SRC DST
>
> I guess the security aspect here is not that bad, you'll only have to save 
> the password locally as env var. Reading it from a file should work as well...


As it doesn’t need an argpass-script on the target side, but uses a wrapper for 
ssh on the HOST side to inject the password from an environment variable, it’s 
pretty convenient for my use case. Plus, there’s the added bonus of not having 
the password logged anywhere.

Ideally, I would now like to get rid of the helper script, so it’s a single 
rsync command that is left. I’m struggling with this but there’ll hopefully be 
some bash quoting wizards that can tell me where the issue is.

My (non-working) attempt:

PASSWORD= rsync -vv --delete-after --delay-updates '/bin/sh -c "{ 
echo $PASSWORD; cat - ; } | ssh -i ~/.ssh/id.key $* &"' --rsync-path='sudo -S 
rsync‘ ./SRCDIR USER@HOST:DSTDIR

This get’s mangled by rsync in some non-working way, but I actually don’t 
understand enough of shell magic to solve this:

opening connection using: /bin/sh -c "{ echo $PASSWORD; cat - ; } | ssh -i 
~/.ssh/id.key $* &" -l USER HOST "sudo -S rsync" --server -vvvlDtrze.iLsfxCIvu 
"--log-format=%i" --delete-after --delay-updates . DESTDIR  (14 args)
ssh: Could not resolve hostname USER: nodename nor servname provided, or not 
known
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(228) 
[sender=3.2.3]

So it seems the "-l" is dropped into the void letting ssh assume USER was the 
target host? I don’t actually get what I can do.

Anyway, I think the original answer on "ask ubuntu" is quite helpful. 
Unfortunately, I don’t have enough „reputation points“ to upvote the answer nor 
to comment …

Happy syncing,
Mark

smime.p7s
Description: S/MIME cryptographic signature
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Restriction enforcement

2022-03-12 Thread Wayne Davison via rsync
On Tue, Mar 8, 2022 at 7:15 AM Hove, K.W. van (Koen, Student M-CS) via
rsync  wrote:

> I noticed that --max-size, --min-size, --exclude, and --include are only
> sent by the client as a "request" to the server, and that if the server for
> some reason chooses to ignore those options and include those files in the
> file list anyway, the client will happily run with it.


That is not based on client & server but rather sender & receiver. The
sender gets the filter (include/exclude) commands so that it can trim the
list it sends, but the client uses the min/max size values to figure out
which files it wants to request. The client only uses the filter rules if
it is running deletion commands. The daemon has a bit more paranoia, with
an extra filter list that is consulted on both the sending & receiving
side. So, one simple change that could be done would be to tweak
generator.c & receiver.c and add in filter checks of the main filter_list
where it is checking the daemon_filter_list.

So, for the most part, rsync expects each side to do their job and doesn't
double-check non-security things (it does security-check that the file list
hasn't gone outside the request's bounds and that it doesn't leverage a
symlink as a way to escape the hierarchy, for instance).  There is also the
problem that the generator has no direct way to tell the receiver what it
is doing (given the big loop of information from generator to sender to
receiver) so a rogue sender could be written to send files that the
generator didn't request.

..wayne..
-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers, docker approach

2022-03-12 Thread Florian Sager via rsync

Hi,

I gave up using rrsync some years ago because of
a) potential security issues with path references that can occur within 
the rsync execution in the call of rrsync
b) possibly unmatched rsync options (rrsync must be kept up-to-date to 
match new options _and_ some options need to be intentionally removed 
that may be required)


So my solution on this is:

- a login script (with suid bit in my case)

- that creates/starts a docker image that limits path access and maps 
libs / rsync binary to be available in a limited environment, e.g. "alpine"


DOCKERRSYNC_BASE="/usr/bin/ionice -c 3 $DOCKERBIN run -i --read-only 
--rm --security-opt no-new-privileges=true -v $RSYNC:/usr/bin/rsync:ro 
-v /lib/:/lib/:ro -v /lib64/:/lib64/:ro -v /usr/lib/:/usr/lib/:ro"
$DOCKERRSYNC_BASE -v $SYNCDIR:$SYNCDIR -w $SYNCDIR $DOCKERIMAGE 
$SSH_ORIGINAL_COMMAND 2>/dev/null


If anybody sees security problems with this approach please tell us.

Best regards
Florian



Am 12.03.22 um 07:36 schrieb Bri Hatch via rsync:



On Fri, Mar 11, 2022 at 10:22 PM Kevin Korb via rsync 
 wrote:


Rsync includes a script named rrsync that handles this perfectly.


And authprogs provides similar functionality, though you use yaml to 
define what is/isn't allowed. However it does allow you to use one SSH 
identity for potentially many different source dirs rather than 
requiring a separate authorized_key entry for each forced command.


example:

- rule_type: rsync
      allow_donwload: true
      allow_recursive: true
      paths:
        - /etc
        - /srv/freezeray
      path_startswith:
        - /srv/web

https://github.com/daethnir/authprogs/blob/main/doc/authprogs.md#rsync-subrules



On 3/12/22 01:08, Richard Hector via rsync wrote:
> On 12/03/22 18:38, Richard Hector via rsync wrote:
>> And I do my backups (using dirvish) as root, using a key with a
forced
>> command.
>
> FWIW, that forced command is here:
>
> https://github.com/rwhector/dirvish-forced-command
>
> It's rather unpolished and undocumented, but comments very
welcome :-)
>
> I've also had an issue due to some server-side-only arguments to
rsync
> being undocumented, which means I can't validate them, and
basically
> have to accept anything ... I'd love to know why this is or has
to be
> the case :-) I didn't get any particularly useful answers back in
> January 2019 ...
>
> Cheers,
> Richard
>

-- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

        Kevin Korb                      Phone:    (407) 252-6853
        Systems Administrator           Internet:
        FutureQuest, Inc. ke...@futurequest.net  (work)
        Orlando, Florida k...@sanitarium.net (personal)
        Web page: https://sanitarium.net/
        PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,

-- 
Please use reply-all for most replies to avoid omitting the

mailing list.
To unsubscribe or change options:
https://lists.samba.org/mailman/listinfo/rsync
Before posting, read:
http://www.catb.org/~esr/faqs/smart-questions.html



--
Bri Hatch

"Quite mad, they say. It is good that Zathras does not mind. He's even 
grown

 to like it. Oh yes."

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Richard Hector via rsync
Also, it appears that it requires the allowed directory to be specified 
in authorized_keys. Mine uses an external list of allowed directories, 
so I don't need lots of lines (and separate keys?) in authorized_keys in 
order to deal with the several directories I back up per host.


Cheers,
Richard

On 12/03/22 21:01, Richard Hector via rsync wrote:
It may do the job; it doesn't AFAIK explain why the options are 
undocumented :-)


Cheers,
Richard

On 12/03/22 19:22, Kevin Korb via rsync wrote:

Rsync includes a script named rrsync that handles this perfectly.

On 3/12/22 01:08, Richard Hector via rsync wrote:

On 12/03/22 18:38, Richard Hector via rsync wrote:
And I do my backups (using dirvish) as root, using a key with a 
forced command.


FWIW, that forced command is here:

https://github.com/rwhector/dirvish-forced-command

It's rather unpolished and undocumented, but comments very welcome :-)

I've also had an issue due to some server-side-only arguments to 
rsync being undocumented, which means I can't validate them, and 
basically have to accept anything ... I'd love to know why this is or 
has to be the case :-) I didn't get any particularly useful answers 
back in January 2019 ...


Cheers,
Richard









--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


Re: Trying to elevate rsync privileges when connecting over ssh without using NOPASSWD in sudoers

2022-03-12 Thread Richard Hector via rsync
It may do the job; it doesn't AFAIK explain why the options are 
undocumented :-)


Cheers,
Richard

On 12/03/22 19:22, Kevin Korb via rsync wrote:

Rsync includes a script named rrsync that handles this perfectly.

On 3/12/22 01:08, Richard Hector via rsync wrote:

On 12/03/22 18:38, Richard Hector via rsync wrote:
And I do my backups (using dirvish) as root, using a key with a 
forced command.


FWIW, that forced command is here:

https://github.com/rwhector/dirvish-forced-command

It's rather unpolished and undocumented, but comments very welcome :-)

I've also had an issue due to some server-side-only arguments to rsync 
being undocumented, which means I can't validate them, and basically 
have to accept anything ... I'd love to know why this is or has to be 
the case :-) I didn't get any particularly useful answers back in 
January 2019 ...


Cheers,
Richard






--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html