[OT] Setting up a restricted rsync user
Alexander Dalloz
ad+lists at uni-x.org
Thu Jul 7 18:32:25 UTC 2005
Am Do, den 07.07.2005 schrieb Michael Yep um 19:13:
> I want to set up a rsync user on my server, but I would like to make it
> as limited as possible.
> I read some info about how to allow a user to only use sftp, but I am
> unsure if this would be the same for rsync
>
> for sftp
>
> Add user as usually and assign him a password. Then run the following
> command (replace the 'username' with real user name):
> root at host # usermod -s /usr/lib/sftp-server username
> This changes user's shell to sftp-server.
That can be one step. Please see "-s <shell>" of the useradd command.
> The last step for this to work is to add '/usr/lib/sftp-server' to
> /etc/shells to make it a valid shell, eg. like this:
> root at host # echo '/usr/lib/stfp-server' >> /etc/shells
> There. Now you've setup a user who can only access your server with SFTP.
>
> Now how would I do this for rsync / ssh ?
Setup an rsyncd and in /etc/rsyncd.conf set "read only = yes" for the
directory the remote user is allowed to rsync.
Using rsync through sshaccess, configure the sshd to allow only pubkey
auth (which is generally a good idea) and edit the
~/.ssh/authorized_keys public key part of the user to be like
command="rsync -avz /userdir" ssh-dss AAAAB......
You would need to "chattr +i" the authorized_keys file then to prevent
the untrusted user to change the file.
> Also is there any way possible to make the files that are uploaded not
> removable / writable by this user?
I don't understand what you mean by "files [...] uploaded". I thought
you are speaking about single direction rsync only: client <-- server.
To achieve read-only access you need a different solution. You may use
following Perl script
http://www.inwap.com/mybin/miscunix/?rrsync
and set the authorized_keys file to look like
command="rrsync -ro /userdir" ssh-dss AAAAB.....
> I know they must be available for read access for rsync to do its diffs
> / checksums.
> Michael Yep
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 20:13:18 up 12 days, 3:05, load average: 0.14, 0.17, 0.11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050707/32b996b3/attachment-0001.sig>
More information about the fedora-list
mailing list