Bug 2207 - Listing of available sync-sets is very different with and without daemon mode
Listing of available sync-sets is very different with and without daemon mode
Status: CLOSED INVALID
Product: rsync
Classification: Unclassified
Component: core
2.6.2
All All
: P3 normal
: ---
Assigned To: Wayne Davison
Rsync QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-02 16:27 UTC by sten.carlsen
Modified: 2005-03-16 16:48 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sten.carlsen 2005-01-02 16:27:18 UTC
With ssh all subfolders and files in the users home dir are available for sync.

This might be a question about protocol versions, BUT this is a HUGE security risk.

All data should be after this point:

Rsyncd server version:
[carlsen@christina carlsen]$ rsync --version
rsync  version 2.5.5  protocol version 26
Copyright (C) 1996-2002 by Andrew Tridgell and others
<http://rsync.samba.org/>
Capabilities: 64-bit files, socketpairs, hard links, symlinks, batchfiles, 
              IPv6, 64-bit system inums, 64-bit internal inums

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.
[carlsen@christina carlsen]$ 


rsync client:
silver:~rsync --version
rsync  version 2.6.2  protocol version 28
Copyright (C) 1996-2004 by Andrew Tridgell and others
<http://rsync.samba.org/>
Capabilities: 64-bit files, socketpairs, hard links, symlinks, batchfiles, 
              IPv6, 32-bit system inums, 64-bit internal inums

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.
silver:~>



File: rsyncd.conf:
max connections = 2
log file = /var/log/rsync.log
timeout = 300

[selskab]
    comment = /home/carlsen/selskab
    path = /home/carlsen/selskab
    read only = no
    list = yes
    uid = carlsen
    gid = carlsen
    auth users = carlsen
    secrets file = /etc/rsyncd.secrets

[vandvaerk]
    comment = /work/Work/Vandvaerk
    path = /work/Work/Vandvaerk
    read only = no
    list = yes
    uid = carlsen
    gid = carlsen
#    auth users = carlsen
#    secrets file = /etc/rsyncd.secrets

[regnskab]
    comment = /home/carlsen/Regnskab
    path = /home/carlsen/Regnskab
    read only = no
    list = yes
    uid = carlsen
    gid = carlsen
#    auth users = carlsen
#    secrets file = /etc/rsyncd.secrets


From client direct connection:
silver:~>rsync christina::
selskab         /home/carlsen/selskab
vandvaerk       /work/Work/Vandvaerk
regnskab        /home/carlsen/Regnskab
silver:~>


From client via ssh:
silver:~>rsync christina: 
Enter passphrase for key '/Users/carlsen/.ssh/id_rsa': 
drwx------       4096 2005/01/02 22:31:19 .
-rw-r--r--      12292 2005/01/02 18:18:29 .DS_Store
-rw-------        193 2004/08/08 22:01:43 .ICEauthority
drwx------       4096 2003/10/12 19:15:07 .Trash
-rw-------        185 2005/01/02 13:14:32 .Xauthority
-rw-------      10359 2005/01/02 17:52:33 .bash_history
-rw-r--r--         24 2003/02/11 14:34:44 .bash_logout
-rw-r--r--        191 2003/02/11 14:34:44 .bash_profile
-rw-r--r--        124 2003/02/11 14:34:44 .bashrc
-rw-r--r--       5531 2003/02/04 10:32:13 .canna
drwx------       4096 2003/08/05 00:50:28 .cedit
-rw-r--r--        847 2003/02/20 07:41:26 .emacs
-rw-------         16 2003/08/04 02:33:07 .esd_auth
-rw-------         66 2005/01/03 00:02:17 .fetchids
-rw-r--r--    1730292 2005/01/03 00:02:17 .fetchmail.log
-rw-------          9 2004/08/29 17:39:36 .fetchmail.pid
-rw-------        749 2003/12/30 03:11:16 .fetchmailrc
-rw-------        749 2003/11/01 13:56:36 .fetchmailrc.test
-rw-------        737 2003/11/27 10:20:58 .fetchmailrc.work
-rw-r--r--      39817 2004/12/19 14:11:58 .fonts.cache-1
drwxr-xr-x       4096 2003/09/23 22:44:27 .fullcircle
drwx------       4096 2004/12/19 14:12:40 .gconf
drwx------       4096 2004/12/19 14:12:40 .gconfd
drwx------       4096 2003/08/04 00:29:20 .gftp
drwx------       4096 2004/03/07 21:40:03 .gnome
drwxr-xr-x       4096 2003/10/12 19:14:58 .gnome-desktop
drwxr-xr-x       4096 2004/08/08 22:01:34 .gnome2
drwx------       4096 2003/08/04 00:38:51 .gnome2_private
drwx------       4096 2003/10/17 16:38:06 .gnome_private
drwxr-xr-x       4096 2003/08/31 14:37:30 .gstreamer
-rw-r--r--        120 2003/02/27 00:15:12 .gtkrc
-rw-r--r--        138 2003/08/04 00:38:57 .gtkrc-1.2-gnome2
drwxr-xr-x       4096 2003/08/04 01:50:12 .kde
drwx------       4096 2003/10/09 20:52:49 .macromedia
-rw-r--r--       5200 2004/12/29 13:04:24 .mailboxlist
-rw-r--r--       1541 2003/09/27 14:22:06 .mailcap
drwxr-xr-x       4096 2005/01/02 20:02:12 .mc
drwx------       4096 2003/08/04 00:39:24 .metacity
-rw-r--r--        635 2003/09/27 14:22:06 .mime.types
drwx------       4096 2003/08/04 01:38:33 .mozilla
drwxr-xr-x       4096 2003/08/04 00:39:14 .nautilus
drwxr-xr-x       4096 2003/09/27 14:22:01 .netscape
drwxr-xr-x       4096 2003/09/27 14:22:01 .netscape6
drwxr-xr-x       4096 2003/09/27 14:22:19 .openoffice
drwx------       4096 2003/08/04 01:50:36 .qt
-rw-------       1485 2004/08/08 21:49:17 .recently-used
-rw-------        497 2003/08/04 00:39:24 .rhn-applet.conf
drwx------       4096 2003/11/02 16:20:18 .ssh
-rw-r--r--         69 2003/09/27 14:22:10 .sversionrc
drwx------       4096 2003/08/31 14:37:25 .thumbnails
-rw-r--r--         33 2004/05/24 01:30:16 .toprc
-rw-r--r--       2048 2003/09/27 14:22:35 .user60.rdb
-rw-------       9132 2003/11/15 23:00:45 .viminfo
drwxr-xr-x       4096 2003/08/04 00:24:48 .xemacs
-rw-r--r--       9096 2003/10/11 22:16:37 .xscreensaver
-rw-------        960 2003/11/28 00:19:14 .xsession-errors
drwxr-xr-x       4096 2004/11/08 22:10:49 Bank
drwxr-xr-x       4096 2004/07/22 21:16:05 Bil
drwxr-xr-x       4096 2004/07/17 19:03:32 Billeder
-rw-------      53457 2004/12/28 03:53:10 Drafts
drwxr-xr-x       4096 2001/08/26 17:32:50 Ferie2001
drwxr-xr-x       4096 2003/07/19 18:16:43 Hus
-rw-------        571 2004/06/07 09:01:09 Junk
drwxr-xr-x       4096 2004/02/21 23:27:49 MMC-card contents
drwxr-xr-x       4096 2004/12/31 01:34:30 OpenCA
drwx------       4096 2005/01/02 22:55:13 Passwords and registrations
drwxr-xr-x       4096 2005/01/02 19:56:04 Regnskab
drwxr-xr-x       4096 2003/03/20 21:19:21 Skat
drwxr-xr-x       4096 2001/08/26 17:31:54 Sus
-rw-------      78672 2005/01/02 22:31:19 Trash
drwxr-xr-x       4096 2003/07/06 03:07:59 address-book
drwxr-xr-x       4096 2002/02/07 20:49:23 apache
drwxr-xr-x       4096 2005/01/02 04:39:57 bin
drwxr-xr-x       4096 2004/12/26 18:52:15 download
drwx------       4096 2004/03/07 21:41:12 evolution
drwxr-xr-x       4096 2004/12/26 14:02:55 home
drwx------       4096 2005/01/03 00:03:36 mail
drwxr-xr-x       4096 2003/03/20 20:07:39 nette
drwxr-xr-x       4096 2002/02/02 17:40:26 pppoe
drwxr-xr-x       4096 2002/05/26 22:18:38 public_html
drwxr-xr-x       4096 2004/12/26 13:31:00 selskab
drwxr-xr-x       4096 2005/01/02 18:18:28 tmp
drwxr-xr-x       4096 2004/12/29 19:26:30 vandvaerk
silver:~>
Comment 1 Wayne Davison 2005-01-02 17:57:13 UTC
If the user has ssh access to a system, they can run any command they wish,
including "rm" or "bash", so it is not a security risk that rsync also lets them
access/manipulate all the same files as any other command.

You may wish to look into ssh's restricted command features if you don't wish to
let users run certain commands via ssh (such as rsync).

If you're wanting to secure the daemon mode access, use some kind of tunnel,
such as stunnel to secure the socket connections:

    http://www.stunnel.org/examples/rsync_mike.html
Comment 2 sten.carlsen 2005-01-02 18:18:56 UTC
The other half of the bug is that it does not allow transfers to folders outside
my own home.

At lest not directly from the command line. Have I missed a way to do that?

My point with this is that I actually found this bug by doing sync of the exact
same data with the exact same command line from the exact same folder and the
result was that I had two different synchronised datasets.

Basically it does not seem to use rsyncd.conf when going over ssh.

What did I miss?
Comment 3 Wayne Davison 2005-01-02 18:39:59 UTC
(In reply to comment #2)
> Basically it does not seem to use rsyncd.conf when going over ssh.

That's the difference between daemon mode and remote-shell mode.  See the docs:

    http://rsync.samba.org/ftp/rsync/rsync.html

The difference has nothing to do with ssh and everything to do with using either
":" or "::" -- yes, they're radically different.