Nick Cleaton <[email protected]> writes: > If you really want the rsync protocol then a forced command of "${things > such as nsjail and libcallfilt go here} rsync --server --daemon --config > /etc/some-rsyncd.conf ." is probably about as solid as you can get it: > rsync in daemon mode is designed to interact with an untrusted user, and > you get to set which parts of the filesystem are readable and writable > in /etc/some-rsyncd.conf.
> You do have to adapt the rsync client command though, to work in terms of > modules defined in your rsyncd.conf rather than file paths: > rsync -av -e ssh /my/thing [email protected]::backups/ Don't you lose SSH authentication this way? You're spawning a separate daemon that I think is now using the built-in rsync authentication, which is just password (or nothing), so an attacker can then just connect directly to the daemon that you've spawned. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
