When preparing a module list (e.g., queried by "rsync hostname::"), the daemon
should filter out modules that are denied by hosts allow/deny, password rights,
etc. This both reduces information leakage, and assures that the module can
actually be traversed.
Note comments here:
My use case was a module for which access was restricted to one IP address (a backup machine). I didn't want the existence of this module to be known to arbitrary users (information leakage never being a good thing). I ended up using two rsync daemons, with the private one protected by iptables on a non-standard port, to prevent the announcement of the modules' existence.
When I wrote up the feature-request, I added the password rights issue.
*** Bug 8506 has been marked as a duplicate of this bug. ***