{ "content": [ { "type": "text", "text": "# rrsync (man)\n\n## NAME\n\nrrsync - a script to setup restricted rsync users via ssh logins\n\n## SYNOPSIS\n\nrrsync [-ro|-rw] [-munge] [-no-del] [-no-lock] DIR\nThe single non-option argument specifies the restricted DIR to use. It can be relative to the\nuser's home directory or an absolute path.\nThe online version of this manpage (that includes cross-linking of topics) is available at\nhttps://download.samba.org/pub/rsync/rrsync.1.\n\n## DESCRIPTION\n\nA user's ssh login can be restricted to only allow the running of an rsync transfer in one of\ntwo easy ways:\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **OPTIONS** (6 subsections)\n- **SECURITY RESTRICTIONS**\n- **BASH SECURITY ISSUE**\n- **EXAMPLES**\n- **FILES**\n- **SEE ALSO**\n- **VERSION**\n- **CREDITS**\n- **AUTHOR**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "rrsync", "section": "", "mode": "man", "summary": "rrsync - a script to setup restricted rsync users via ssh logins", "synopsis": "rrsync [-ro|-rw] [-munge] [-no-del] [-no-lock] DIR\nThe single non-option argument specifies the restricted DIR to use. It can be relative to the\nuser's home directory or an absolute path.\nThe online version of this manpage (that includes cross-linking of topics) is available at\nhttps://download.samba.org/pub/rsync/rrsync.1.", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [ { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": "--munge-links", "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "Disable rsync's --delete* and --remove* options." }, { "flag": "", "long": null, "arg": null, "description": "Avoid the single-run (per-user) lock check. Useful with -munge." }, { "flag": "-h", "long": null, "arg": null, "description": "Output this help message and exit." } ], "examples": [ "The ~/.ssh/authorizedkeys file might have lines in it like this:", "command=\"rrsync client/logs\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzG...", "command=\"rrsync -ro results\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmk..." ], "see_also": [ { "name": "rsync", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/rsync/1/json" }, { "name": "rsyncd.conf", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/rsyncd.conf/5/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 8, "subsections": [] }, { "name": "DESCRIPTION", "lines": 42, "subsections": [] }, { "name": "OPTIONS", "lines": 1, "subsections": [ { "name": "-ro -no-del -no-lock", "lines": 1 }, { "name": "-wo", "lines": 1 }, { "name": "-munge --munge-links", "lines": 1, "long": "--munge-links" }, { "name": "-no-del", "lines": 2 }, { "name": "-no-lock", "lines": 2 }, { "name": "-help -h", "lines": 2, "flag": "-h" } ] }, { "name": "SECURITY RESTRICTIONS", "lines": 17, "subsections": [] }, { "name": "BASH SECURITY ISSUE", "lines": 16, "subsections": [] }, { "name": "EXAMPLES", "lines": 5, "subsections": [] }, { "name": "FILES", "lines": 2, "subsections": [] }, { "name": "SEE ALSO", "lines": 2, "subsections": [] }, { "name": "VERSION", "lines": 2, "subsections": [] }, { "name": "CREDITS", "lines": 5, "subsections": [] }, { "name": "AUTHOR", "lines": 6, "subsections": [] } ], "sections": { "NAME": { "content": "rrsync - a script to setup restricted rsync users via ssh logins\n", "subsections": [] }, "SYNOPSIS": { "content": "rrsync [-ro|-rw] [-munge] [-no-del] [-no-lock] DIR\n\nThe single non-option argument specifies the restricted DIR to use. It can be relative to the\nuser's home directory or an absolute path.\n\nThe online version of this manpage (that includes cross-linking of topics) is available at\nhttps://download.samba.org/pub/rsync/rrsync.1.\n", "subsections": [] }, "DESCRIPTION": { "content": "A user's ssh login can be restricted to only allow the running of an rsync transfer in one of\ntwo easy ways:\n\no forcing the running of the rrsync script\n\no forcing the running of an rsync daemon-over-ssh command.\n\nBoth of these setups use a feature of ssh that allows a command to be forced to run instead\nof an interactive shell. However, if the user's home shell is bash, please see BASH SECURITY\nISSUE for a potential issue.\n\nTo use the rrsync script, edit the user's ~/.ssh/authorizedkeys file and add a prefix like\none of the following (followed by a space) in front of each ssh-key line that should be re‐\nstricted:\n\ncommand=\"rrsync DIR\"\ncommand=\"rrsync -ro DIR\"\ncommand=\"rrsync -munge -no-del DIR\"\n\nThen, ensure that the rrsync script has your desired option restrictions. You may want to\ncopy the script to a local bin dir with a unique name if you want to have multiple configura‐\ntions. One or more rrsync options can be specified prior to the DIR if you want to further\nrestrict the transfer.\n\nTo use an rsync daemon setup, edit the user's ~/.ssh/authorizedkeys file and add a prefix\nlike one of the following (followed by a space) in front of each ssh-key line that should be\nrestricted:\n\ncommand=\"rsync --server --daemon .\"\ncommand=\"rsync --server --daemon --config=/PATH/TO/rsyncd.conf .\"\n\nThen, ensure that the rsyncd.conf file is created with one or more module names with the ap‐\npropriate path and option restrictions. If rsync's --config option is omitted, it defaults\nto ~/rsyncd.conf. See the rsyncd.conf(5) manpage for details of how to configure an rsync\ndaemon.\n\nWhen using rrsync, there can be just one restricted dir per authorized key. A daemon setup,\non the other hand, allows multiple module names inside the config file, each one with its own\npath setting.\n\nThe remainder of this manpage is dedicated to using the rrsync script.\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-ro -no-del -no-lock", "content": "" }, { "name": "-wo", "content": "" }, { "name": "-munge --munge-links", "content": "", "long": "--munge-links" }, { "name": "-no-del", "content": "Disable rsync's --delete* and --remove* options.\n" }, { "name": "-no-lock", "content": "Avoid the single-run (per-user) lock check. Useful with -munge.\n" }, { "name": "-help -h", "content": "Output this help message and exit.\n", "flag": "-h" } ] }, "SECURITY RESTRICTIONS": { "content": "The rrsync script validates the path arguments it is sent to try to restrict them to staying\nwithin the specified DIR.\n\nThe rrsync script rejects rsync's --copy-links option (by default) so that a copy cannot\ndereference a symlink within the DIR to get to a file outside the DIR.\n\nThe rrsync script rejects rsync's --protect-args (-s) option because it would allow options\nto be sent to the server-side that the script cannot check. If you want to support --pro‐‐\ntect-args, use a daemon-over-ssh setup.\n\nThe rrsync script accepts just a subset of rsync's options that the real rsync uses when run‐\nning the server command. A few extra convenience options are also included to help it to in‐\nteract with BackupPC and accept some convenient user overrides.\n\nThe script (or a copy of it) can be manually edited if you want it to customize the option\nhandling.\n", "subsections": [] }, "BASH SECURITY ISSUE": { "content": "If your users have bash set as their home shell, bash may try to be overly helpful and ensure\nthat the user's login bashrc files are run prior to executing the forced command. This can\nbe a problem if the user can somehow update their home bashrc files, perhaps via the re‐\nstricted copy, a shared home directory, or something similar.\n\nOne simple way to avoid the issue is to switch the user to a simpler shell, such as dash.\nWhen choosing the new home shell, make sure that you're not choosing bash in disguise, as it\nis unclear if it avoids the security issue.\n\nAnother potential fix is to ensure that the user's home directory is not a shared mount and\nthat they have no means of copying files outside of their restricted directories. This may\nrequire you to force the enabling of symlink munging on the server side.\n\nA future version of openssh may have a change to the handling of forced commands that allows\nit to avoid using the user's home shell.\n", "subsections": [] }, "EXAMPLES": { "content": "The ~/.ssh/authorizedkeys file might have lines in it like this:\n\ncommand=\"rrsync client/logs\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAzG...\ncommand=\"rrsync -ro results\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAmk...\n", "subsections": [] }, "FILES": { "content": "~/.ssh/authorizedkeys\n", "subsections": [] }, "SEE ALSO": { "content": "rsync(1), rsyncd.conf(5)\n", "subsections": [] }, "VERSION": { "content": "This manpage is current for version 3.2.7 of rsync.\n", "subsections": [] }, "CREDITS": { "content": "rsync is distributed under the GNU General Public License. See the file COPYING for details.\n\nAn rsync web site is available at https://rsync.samba.org/ and its github project is\nhttps://github.com/WayneD/rsync.\n", "subsections": [] }, "AUTHOR": { "content": "The original rrsync perl script was written by Joe Smith. Many people have later contributed\nto it. The python version was created by Wayne Davison.\n\n\n\nrrsync from rsync 3.2.7 20 Oct 2022 rrsync(1)", "subsections": [] } } } }