running rsync daemon as unpribileged - Tools

This is a discussion on running rsync daemon as unpribileged - Tools ; Hi I run a mirror service where for gentoo I run rsync as a daemon. Currently the daemon runs root to get the 873 port opened. And when transfers then run, they run as nobody. I would like the rsync ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: running rsync daemon as unpribileged

  1. running rsync daemon as unpribileged

    Hi

    I run a mirror service where for gentoo I run rsync as a daemon.
    Currently the daemon runs root to get the 873 port opened.
    And when transfers then run, they run as nobody.

    I would like the rsync daemon to connect to 873 (as root)
    then possibly do a chroot and then run always as something else
    than root (maybe nobody).

    It this advisable? Is it possible?

    best regards
    keld
    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


  2. Re: running rsync daemon as unpribileged

    On Sat, 2008-08-30 at 18:23 +0200, Keld Jørn Simonsen wrote:
    > I run a mirror service where for gentoo I run rsync as a daemon.
    > Currently the daemon runs root to get the 873 port opened.
    > And when transfers then run, they run as nobody.
    >
    > I would like the rsync daemon to connect to 873 (as root)
    > then possibly do a chroot and then run always as something else
    > than root (maybe nobody).
    >
    > It this advisable? Is it possible?


    The only time that the rsync daemon supports chrooting and changing
    uid/gid is each time it accepts a client connection. If you want the
    daemon to listen on port 873 without the master daemon process running
    as root, you could have the daemon listen on an unprivileged port and
    run a port forwarding program (such as ssh) as root to forward
    connections from port 873 to the daemon's port. If you want the master
    process to be chrooted, you'll have to chroot before starting it.

    Matt

    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEABECAAYFAki5fBoACgkQC+xSYN/RlfvWLACcDrjncIeXodPcGAlrSRnjXR/L
    hPwAniBc9zigJrZtz6oAgpfx6RT1qswX
    =wixZ
    -----END PGP SIGNATURE-----


  3. Re: running rsync daemon as unprivileged

    On Sat, Aug 30, 2008 at 12:58:10PM -0400, Matt McCutchen wrote:
    > On Sat, 2008-08-30 at 18:23 +0200, Keld Jrn Simonsen wrote:
    > > I run a mirror service where for gentoo I run rsync as a daemon.
    > > Currently the daemon runs root to get the 873 port opened.
    > > And when transfers then run, they run as nobody.
    > >
    > > I would like the rsync daemon to connect to 873 (as root)
    > > then possibly do a chroot and then run always as something else
    > > than root (maybe nobody).
    > >
    > > It this advisable? Is it possible?

    >
    > The only time that the rsync daemon supports chrooting and changing
    > uid/gid is each time it accepts a client connection. If you want the
    > daemon to listen on port 873 without the master daemon process running
    > as root, you could have the daemon listen on an unprivileged port and
    > run a port forwarding program (such as ssh) as root to forward
    > connections from port 873 to the daemon's port. If you want the master
    > process to be chrooted, you'll have to chroot before starting it.


    Yes, this is also what I understand is possible now.

    Could a feature be added to rsync in daemon mode, where it shifts to a
    specific userid, after connecting to port 873 and possibly doing a
    chroot?

    best regards
    Keld
    --
    Please use reply-all for most replies to avoid omitting the mailing list.
    To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
    Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html


+ Reply to Thread