Bug 4318 - automatic module creation with rights on server
automatic module creation with rights on server
Status: RESOLVED WONTFIX
Product: rsync
Classification: Unclassified
Component: core
2.6.9
Other All
: P3 enhancement
: ---
Assigned To: Wayne Davison
Rsync QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-01 21:53 UTC by Kilburn Abrahams
Modified: 2008-06-23 19:09 UTC (History)
0 users

See Also:


Attachments
Demo of automatic module creation using a dummy module (1.49 KB, application/x-bzip2)
2007-01-02 17:08 UTC, Matt McCutchen
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kilburn Abrahams 2007-01-01 21:53:25 UTC
A typical module would be

[module_name]
path = /var/rbackup/[module_name]
read only = false
list = false
uid = uiduser
gid = gigusers
transfer logging = yes
log format = [%a] %o %m (%u) %f %l
auth users = auth_username
secrets file = /etc/rsyncd.secrets
incoming chmod = ugo+rwx
hosts allow = *

When the client connects for the first time the path, rights, rsyncd.secrets an d rsyncd.conf is appended/created automatically. The infomation is obtained from the client. The server would not first check if the module credentials exist, if not, then create and then authenticate (although this is not necessary the first time round)

I do not think this is possible with the pre-xfer exec statement.
Comment 1 Matt McCutchen 2007-01-02 17:08:05 UTC
Created attachment 2247 [details]
Demo of automatic module creation using a dummy module

In my opinion, it would not make sense for rsync to implement any specific technique for automatic module creation since different administrators will want different techniques.  However, it might be useful if rsync had an option to reload rsyncd.conf between finishing the pre-xfer exec and actually entering a module.  Then pre-xfer exec would not be too late to automatically create a new module.

In the absence of that enhancement, you could have each new client first access a dummy module that triggers the daemon to set up the client's account.  I'm attaching a tar file of a daemon installation that demonstrates this technique.  A client uploads a file giving its desired username and password to a module called "autouser".  In autouser's post-xfer exec, the daemon creates the client's module and updates the rsyncd.conf and rsyncd.secrets.  Then the client can perform the real transfer.
Comment 2 Matt McCutchen 2007-01-02 22:04:05 UTC
Erratum for my demo daemon: the configuration file should set "max connections = 1" with a global "lock file" to avoid tons of nasty outcomes when a client connects in the middle of configuration updating.  It might be nice if the daemon placed some kind of advisory read lock on its configuration file while reading the file so that other processes could safely update the file by placing a write lock.  Bonus points if the daemon keeps the lock while reading the secrets file so it can avoid reading a secrets file newer than the configuration file.
Comment 3 Kilburn Abrahams 2007-01-02 23:05:42 UTC
(In reply to comment #2)
> Erratum for my demo daemon: the configuration file should set "max connections
> = 1" with a global "lock file" to avoid tons of nasty outcomes when a client
> connects in the middle of configuration updating.  It might be nice if the
> daemon placed some kind of advisory read lock on its configuration file while
> reading the file so that other processes could safely update the file by
> placing a write lock.  Bonus points if the daemon keeps the lock while reading
> the secrets file so it can avoid reading a secrets file newer than the
> configuration file.
> 

The idea of a dummy module is ideal, otherwise the server is open to abuse for unwanted connections.

A wishlist is to have rsync authenticate against a DB or LDAP to get round the nasty file read/write lock issue.
Comment 4 Matt McCutchen 2007-01-03 15:54:34 UTC
(In reply to comment #3)
> The idea of a dummy module is ideal, otherwise the server is open to abuse for
> unwanted connections.

Of course, the dummy module can do the same special authentication for first-time clients that you would have had rsync do.  I left the first-time authentication out of my demo because I wasn't sure how you wanted it done.

> A wishlist is to have rsync authenticate against a DB or LDAP to get round the
> nasty file read/write lock issue.

It would make more sense for rsync daemons to support PAM.  Then the administrator could configure the PAM service to use LDAP or whatever.
Comment 5 Matt McCutchen 2008-06-23 19:09:54 UTC
Automatic module creation should be done outside of rsync unless a compelling reason to do it in rsync arises.