Forbidden commands
Brought to you by:
xystrus
Menu
▾
▴
Forbidden commands
|
From: Alain D D W. <ad...@ph...> - 2019-11-22 15:54:37
|
A recent problem with a rsync/rssh setup that has worked since 2012.
This happened since update to rssh-2.3.4-15 a few days ago.
Running on a CentOS 6 machine.
The recent patch forbids the --daemon option - but I need this as I want an
instance of rsync (running over ssh) that exports two modules. The files in the
modules are not publicly visible - thus only available over ssh as a
particular user (public key authentication).
The patch contains the comment:
"Also scan the rsync command line for any --rsh, --config, or --daemon
option and reject it as well. This replaces and improves the upstream
strategy for rejecting that command-line option, taking advantage of
the parsing added to check the -e option. --config can be used to run
commands via "pre-xfer exec" when running as a daemon, plus the client
should not be able to spawn daemons."
So: how do I do this with this patch applied ?
Thanks in advance.
Something from /var/log/messages:
rssh[27171]: setting log facility to LOG_USER
rssh[27171]: setting umask to 022
rssh[27171]: line 52: configuring user someuser
rssh[27171]: setting someuser's umask to 0
rssh[27171]: allowing rsync to user someuser
rssh[27171]: cmd 'rsync' approved
rssh[27171]: cmd 'rsync' approved
rssh[27171]: insecure rsync options in rsync command line!
rssh[27171]: user someuser attempted to execute forbidden commands
rssh[27171]: command: rsync --server --daemon .
rssh[27177]: setting log facility to LOG_USER
rssh[27177]: setting umask to 022
rssh[27177]: line 52: configuring user someuser
rssh[27177]: setting someuser's umask to 0
rssh[27177]: allowing rsync to user someuser
rssh[27177]: cmd 'rsync' approved
rssh[27177]: cmd 'rsync' approved
rssh[27177]: insecure rsync options in rsync command line!
rssh[27177]: user someuser attempted to execute forbidden commands
rssh[27177]: command: rsync --server --daemon .
(Usename changed)
/home/someuser/rsyncd.conf
[maillist]
comment = Maillist backup
path = /var/spool/mailman/somemaillist
read only = true
use chroot = no
[mailman]
comment = Mailman programs
path = /usr/local/mailman/somemaillist/
read only = true
use chroot = no
My remote user has told me:
> ----------8<-------------------------------
> insecure rsync options not allowed.
> This account is restricted by rssh.
> Allowed commands: rsync
>
> If you believe this is in error, please contact your system administrator.
>
> rsync: did not see server greeting
> rsync error: error starting client-server protocol (code 5) at
> main.c(1648) [Receiver=3.1.2]
> ----------8<-------------------------------
>
>
> command I'm running is:
>
> ----------8<-------------------------------
> rsync -e ssh -av --delete rsync://som...@li.../somelist/backups/somelistlist/somelist/
> ----------8<-------------------------------
>
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>
|