In trying to come up with a good security plan for remote rsync access,
I found that options provided by rsync daemon mode are ideal for
reliably restricting file access. However, rsyncd is severely restricted
by many SELinux configurations. Running rsyncd with root access also
might provide a security hole for a local non-root intruder to get root
My solution is to use rsync daemon mode over a shell connection. This
required some hacking of File::RsyncP. I am attaching an initial version
that should work without actually modifying RsyncP.pm. It overrides the
actual RsyncP::serverConnect() subroutine, which is possible because
Perl has very lenient file scoping.
In this version, rsyncd-over-shell is activated by using 'rsyncd'
transfer with the port set to zero. It uses the rsync command derived
from RsyncClientCmd, which is invalid for rsync daemon mode. I get
around this by setting command="" to the real rsync command in
.ssh/authorized_keys. That restricts remote access for the given ssh
key, which is a good thing. A proper implementation could have a
separate RsyncdShellCmd config variable, or treat non-numeric port
values as the shell command.
Of course, a proper implementation also means updating File::RsyncP on
CPAN. I think it is a simple but useful addition.