One of our users accidentally commented out the path entry for a module on our backup server. As a result, the backup started overwriting system files and wrecked the backup server. I realize that path=/ is an excellent default for pulling backups from other machines, but would like to suggest that path must be explicitly set (for all modules or individual modules) in order to write to rsyncd.
This is already fixed in the 3.1.0dev code in git -- rsync refuses to use any module that doesn't have a path set.