[scponly] enabling an rsync daemon on top of scponly setup...

Gore Jarold gore_jarold at yahoo.com
Mon May 14 17:20:09 EDT 2007


Kaleb,

Thank you for responding ... please see my comments in
line below, and accept my apologies for drifting off
topic here ...


--- Kaleb Pederson <kibab at icehouse.net> wrote:

> The following forms of client invocation will use
> the rsync daemon:
> 
> rsync [OPTION]... SRC [SRC]... [USER@]HOST::DEST
> rsync [OPTION]... SRC [SRC]...
> rsync://[USER@]HOST[:PORT]/DEST
> rsync [OPTION]... [USER@]HOST::SRC [DEST]
> rsync [OPTION]... rsync://[USER@]HOST[:PORT]/SRC
> [DEST]
> 
> Any time the '::' or 'rsync://' is used, the rsync
> daemon will be invoked.  So 
> the quick answer is that as long as your users type
> the correct form, they 
> will not be breaking out of the chroot.
> 
> Also, when you setup the rsync daemon, you have to
> give it a set of paths that 
> can be accessed, so it would in no way allow them to
> break out of the chroot, 
> it just gives them access to specific portions of a
> filesystem tree.


So here is what I am seeing.  If I have a user with
this home directory:

/export/home/username

and this home path in the base systems undrerlying
/etc/passwd:

/export/home//username

BUT, I enter this into my /etc/ftpchroot file:

username  /

when that user logs in over ftp, they get dropped
right into the root of the entire system.  Now again,
permissions and ownerships will keep them from
wreaking any real havoc, but they are certainly not in
their chroot.

Luckily, I can just set /etc/ftpchroot to _match_ what
is in their /etc/passwd:

username  /export/home//username

and they are jailed in the same spot as they are with
scponlyc.  But the important thing is, that jailing is
being done with two different mechanisms - and most
importantly, the scponlyc shell does not affect where
ftp daemon drops them in the filesystem.

So ... it is with that in mind that I ask about
rsyncd.  As far as I can tell, there is no equivalent
to the "ftpchroot" file where I can define a different
directory for each user on the system to be jailed
when they use rsyncd.

And yes, I can define the root of the rsyncd process
_as a whole_, but can I do this on a per-user basis,
to lock each user into just their own home directory ?

I guess I can tell rsyncd to have a root of:

/export/home

and just rely on the permissions and ownerships of the
individual home dirs to avoid cross-pollination ?


       
____________________________________________________________________________________Luggage? GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz



More information about the scponly mailing list