On Mon, Jun 16, 2008 at 06:20:02PM -0400, Martin Langhoff wrote: > Note: this is a work in progress.
Naturally. > Back to your question: we tack on a "transfer_complete" flag file in a > 2nd rsync transmission that is conditional on the first one > succeeding. A better solution is to wrap rsync at the XS end, and flag > "completion" if the local rsync exits cleanly. You could probably fix my objection by updating the protocol wiki page to discuss this convention. Does the server only consider backups that contain this completion flag? (More generally, how does the server select which path it should return to the client?) > Hmmm. Nothing prevents clients from just ssh'ing in and rsyncing to > various nested directories to DoS our storage. Once you've given a login to someone then yes, they can do a lot of damage. However, I consider that problem to be orthogonal to the problem we were discussing, which was that of people who don't have logins doing nasty things. > Heck, without rssh they get shell, so they can eat up the partition > with a quick dd if=/dev/zero of=bla Quotas? Token-bucketed writes? There's lots of options. > If you tell me that our threat scenario is more serious, we are in for > a complete change of plans. Is your threat scenario described anywhere? Michael P.S. - Another curious thought: world-writable files on my XO will remain world-writable on the XS after being rsync'ed up and down, right? Presumably that means we need to take some care with the permissions on the directory we ask the client to store them in... _______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel