[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [OT] Setting up a restricted rsync user

Am Do, den 07.07.2005 schrieb Michael Yep um 19:13:

> I want to set up a rsync user on my server, but I would like to make it 
> as limited as possible.
> I read some info about how to allow a user to only use sftp, but I am 
> unsure if this would be the same for rsync
> for sftp
> Add user as usually and assign him a password. Then run the following 
> command (replace the 'username' with real user name):
> root host # usermod -s /usr/lib/sftp-server username
> This changes user's shell to sftp-server.

That can be one step. Please see "-s <shell>" of the useradd command.

> The last step for this to work is to add '/usr/lib/sftp-server' to 
> /etc/shells to make it a valid shell, eg. like this:
> root host # echo '/usr/lib/stfp-server' >> /etc/shells
> There. Now you've setup a user who can only access your server with SFTP.
> Now how would I do this for rsync / ssh ?

Setup an rsyncd and in /etc/rsyncd.conf set "read only = yes" for the
directory the remote user is allowed to rsync.

Using rsync through sshaccess, configure the sshd to allow only pubkey
auth (which is generally a good idea) and edit the
~/.ssh/authorized_keys public key part of the user to be like

command="rsync -avz /userdir" ssh-dss AAAAB......

You would need to "chattr +i" the authorized_keys file then to prevent
the untrusted user to change the file.

> Also is there any way possible to make the files that are uploaded not 
> removable / writable by this user?

I don't understand what you mean by "files [...] uploaded". I thought
you are speaking about single direction rsync only: client <-- server.

To achieve read-only access you need a different solution. You may use
following Perl script


and set the authorized_keys file to look like

command="rrsync -ro /userdir" ssh-dss AAAAB.....

> I know they must be available for read access for rsync to do its diffs 
> / checksums.

> Michael Yep


Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 20:13:18 up 12 days, 3:05, load average: 0.14, 0.17, 0.11 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]