From: Joe K. <kr...@ni...> - 2008-02-07 22:20:30
|
Jonathan Dill wrote: > Hmm, interesting, basically an rsync wrapper. I was also thinking: How > about an unprivileged account with sudo access to run rsync as root? I > found this discussion: > > http://lists.samba.org/archive/rsync/2004-August/010439.html > > Turns out that is also in the BackupPC FAQ: > > http://backuppc.sourceforge.net/faq/ssh.html I originally considered that approach, but sudo can only limit what executables are allowed, and cannot enable rsync with read-only access. This script enforces more restrictions. But, it might be useful to use sudo as well. > > If you are tunneling the rsync command through an ssh shell, then why > would rsyncd with plain passwords be used at all? rsync would be run > within the shell on the "client", ssh does the authentication > (preferably by keys) rsyncd would not be used at all. You still need access control from the localhost to keep regular users from using rsync to gain root privileges, even if you trust the local users. > > tcp_wrappers and / or iptables can be used to reinforce restrictions in > case somebody figures out a way to fool rsync or try spoofing / > man-in-the-middle. The unprivileged account could have a restricted > shell as the shell to limit which commands could be accessed. > A restricted shell is more effort to make, and still would be much less restrictive than this simple Perl script. > You should also use the complete absolute path and avoid adding layers > of shell scripting to avoid e.g. a rootkit that adds to $PATH to > redirect commands to new ones installed by the kit, also avoid reference > to env variables. This script has the full path to rsync, but a complete script should enforce this. The only environment variable it uses is one set by sshd. One important thing that I did not implement here is to chroot to the destination directory. Is it possible to get the rsync receiver to go outside of the destination directory by sending "../" over the rsync protocol? If so, is it possible to get chroot protection without the /lib, etc., preparation of chroot? Joe > Joe Krahn wrote: >> Here is a first draft at an rsync proxy command for access control on >> the client computer (as an attachment; I hope that's OK). I think that >> remote root access is probably more secure than a non-privileged ssh >> tunnel, because that still relies on a plain rsyncd password for >> security. >> >> This is a Perl script that gives very limited access control. You can >> restrict the read and write access paths, and it automatically rejects >> paths with "/../". It restricts the rsync arguments, and may need >> adjustment if you want arguments like "--backup-suffix=...". It also >> executes rsync in a way that avoids sh processing. >> >> There are many possibilities for developing this further. Comments are >> welcome. >> >> Joe Krahn >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> BackupPC-users mailing list >> Bac...@li... >> List: https://lists.sourceforge.net/lists/listinfo/backuppc-users >> Wiki: http://backuppc.wiki.sourceforge.net >> Project: http://backuppc.sourceforge.net/ > |