This patch adds a new option: --fake-super, which tells rsync to copy in a
fake super-user mode that stores various file attributes in an extended-
-attribute value instead of as real file-system attributes. The items
-affected are:
-
- mode the real mode of the file always has the special-permission bits
- cleared (u-s,g-s,o-t) and full owner access is always enabled
- (u+rw for files and u+rwx for directories). The former makes
- the files safe if the user and/or group info was not really
- preserved, and the latter ensures that our fake-super process
- can always read & write & scan the files and directories.
-
- rdev devices and special files are created as zero-length normal
- files (with all the attributes preserved in the xattr-stat).
-
- uid the real owner will be the executor of the receiving rsync.
-
- gid the real group will be the default group of the executor.
-
-The --fake-super option only affects the side where the option is used. To
-affect the remote side of a remote-shell connection, specify an rsync path:
-
- rsync -av --rsync-path='rsync --fake-super' /src/ host:/dest/
-
-The --fake-super option affects both sides of a local copy, so if you want
-to affect only one side or the other, you'll need to turn the copy into a
-remote copy to/from localhost. However, it's always safe to copy from some
-non-fake-super files into some fake-super files using a normal local copy
-since the non-fake source files will just have their normal attributes.
-
-A daemon can set "fake super = yes" in the rsync.conf file for any module
-that you'd like to be able to preserve all attributes without having it
-run as root (the client cannot affect this setting on the daemon).
+attribute value instead of as real file-system attributes. See the changes
+to the manpages for details.
After applying this patch, run these commands for a successful build:
./configure --enable-acl-support --enable-xattr-support
make
-TODO:
-
- - We may want to normalize the mode somehow, so that the value in the
- xattr field is more portable. E.g. separate the type from the mode
- value and reconstruct it.
-
--- old/backup.c
+++ new/backup.c
@@ -129,7 +129,7 @@ static int make_bak_dir(char *fullpath)
file->modtime = st2.st_mtime;
file->length = st2.st_size;
file->mode = st2.st_mode;
---- old/generator.c
-+++ new/generator.c
-@@ -1510,13 +1510,14 @@ void generate_files(int f_out, struct fi
- recv_generator(fbuf, file, i, itemizing, maybe_ATTRS_REPORT,
- code, f_out);
-
-- /* We need to ensure that any dirs we create have writeable
-+ /* We need to ensure that any dirs we create have rwx
- * permissions during the time we are putting files within
- * them. This is then fixed after the transfer is done. */
- #ifdef HAVE_CHMOD
-- if (!am_root && S_ISDIR(file->mode) && !(file->mode & S_IWUSR)
-+ if (am_root <= 0 && S_ISDIR(file->mode)
-+ && (file->mode & S_IRWXU) != S_IRWXU
- && dir_tweaking) {
-- mode_t mode = file->mode | S_IWUSR; /* user write */
-+ mode_t mode = file->mode | S_IRWXU; /* user rwx */
- char *fname = local_name ? local_name : fbuf;
- if (do_chmod(fname, mode) < 0) {
- rsyserr(FERROR, errno,
--- old/loadparm.c
+++ new/loadparm.c
@@ -150,6 +150,7 @@ typedef struct
int do_compression = 0;
int def_compress_level = Z_DEFAULT_COMPRESSION;
-int am_root = 0;
-+int am_root = 0; /* 0 = normal, 1 = super, 2 = --super, -1 = --fake-super */
++int am_root = 0; /* 0 = normal, 1 = root, 2 = --super, -1 = --fake-super */
int am_server = 0;
int am_sender = 0;
int am_generator = 0;
-@@ -330,6 +330,7 @@ void usage(enum logcode F)
+@@ -329,6 +329,9 @@ void usage(enum logcode F)
rprintf(F," -t, --times preserve times\n");
rprintf(F," -O, --omit-dir-times omit directories when preserving times\n");
rprintf(F," --super receiver attempts super-user activities\n");
++#ifdef SUPPORT_XATTRS
+ rprintf(F," --fake-super store/recover privileged attrs using xattrs\n");
++#endif
rprintf(F," -S, --sparse handle sparse files efficiently\n");
rprintf(F," -n, --dry-run show what would have been transferred\n");
rprintf(F," -W, --whole-file copy files whole (without rsync algorithm)\n");
-@@ -454,6 +455,7 @@ static struct poptOption long_options[]
+@@ -453,6 +456,7 @@ static struct poptOption long_options[]
{"modify-window", 0, POPT_ARG_INT, &modify_window, OPT_MODIFY_WINDOW, 0, 0 },
{"super", 0, POPT_ARG_VAL, &am_root, 2, 0, 0 },
{"no-super", 0, POPT_ARG_VAL, &am_root, 0, 0, 0 },
{"owner", 'o', POPT_ARG_VAL, &preserve_uid, 1, 0, 0 },
{"no-owner", 0, POPT_ARG_VAL, &preserve_uid, 0, 0, 0 },
{"no-o", 0, POPT_ARG_VAL, &preserve_uid, 0, 0, 0 },
---- old/receiver.c
-+++ new/receiver.c
-@@ -528,7 +528,7 @@ int recv_files(int f_in, struct file_lis
- if (fd1 == -1) {
- st.st_mode = 0;
- st.st_size = 0;
-- } else if (do_fstat(fd1,&st) != 0) {
-+ } else if (x_fstat(fd1, &st, NULL) != 0) {
- rsyserr(FERROR, errno, "fstat %s failed",
- full_fname(fnamecmp));
- discard_receive_data(f_in, file->length);
+@@ -1178,6 +1182,14 @@ int parse_arguments(int *argc, const cha
+ }
+ #endif
+
++#ifndef SUPPORT_XATTRS
++ if (am_root < 0) {
++ snprintf(err_buf, sizeof err_buf,
++ "--fake-super requires an rsync with extended attributes enabled\n");
++ return 0;
++ }
++#endif
++
+ if (write_batch && read_batch) {
+ snprintf(err_buf, sizeof err_buf,
+ "--write-batch and --read-batch can not be used together\n");
--- old/rsync.c
+++ new/rsync.c
-@@ -49,7 +49,6 @@ extern int preserve_gid;
- extern int inplace;
- extern int keep_dirlinks;
- extern int make_backups;
--extern mode_t orig_umask;
- extern struct stats stats;
- extern struct chmod_mode_struct *daemon_chmod_modes;
-
-@@ -197,7 +196,9 @@ int set_file_attrs(char *fname, struct f
+@@ -196,7 +196,9 @@ int set_file_attrs(char *fname, struct f
(long)sxp->st.st_gid, (long)file->gid);
}
}
- if (do_lchown(fname,
-+ if (am_root < 0)
++ if (am_root < 0) {
+ ;
-+ else if (do_lchown(fname,
++ } else if (do_lchown(fname,
change_uid ? file->uid : sxp->st.st_uid,
change_gid ? file->gid : sxp->st.st_gid) != 0) {
/* shouldn't have attempted to change uid or gid
-@@ -206,7 +207,7 @@ int set_file_attrs(char *fname, struct f
+@@ -205,7 +207,7 @@ int set_file_attrs(char *fname, struct f
change_uid ? "chown" : "chgrp",
full_fname(fname));
goto cleanup;
/* a lchown had been done - we have to re-stat if the
* destination had the setuid or setgid bits set due
* to the side effect of the chown call */
-@@ -223,6 +224,8 @@ int set_file_attrs(char *fname, struct f
+@@ -222,6 +224,8 @@ int set_file_attrs(char *fname, struct f
#ifdef SUPPORT_XATTRS
if (preserve_xattrs && set_xattr(fname, file, sxp) == 0)
updated = 1;
#endif
#ifdef SUPPORT_ACLS
/* It's OK to call set_acl() now, even for a dir, as the generator
-@@ -237,7 +240,7 @@ int set_file_attrs(char *fname, struct f
+@@ -236,7 +240,7 @@ int set_file_attrs(char *fname, struct f
#ifdef HAVE_CHMOD
if ((sxp->st.st_mode & CHMOD_BITS) != (new_mode & CHMOD_BITS)) {
"failed to set permissions on %s",
--- old/rsync.h
+++ new/rsync.h
-@@ -708,6 +708,12 @@ typedef struct {
+@@ -707,6 +707,12 @@ typedef struct {
#include "proto.h"
/* We have replacement versions of these if they're missing. */
#ifndef HAVE_ASPRINTF
int asprintf(char **ptr, const char *format, ...);
-@@ -925,3 +931,23 @@ int inet_pton(int af, const char *src, v
+@@ -924,3 +930,23 @@ int inet_pton(int af, const char *src, v
#ifdef MAINTAINER_MODE
const char *get_panic_action(void);
#endif
-S, --sparse handle sparse files efficiently
-n, --dry-run show what would have been transferred
-W, --whole-file copy files whole (without rsync algorithm)
-@@ -899,6 +900,31 @@ also for ensuring that you will get erro
+@@ -846,7 +847,7 @@ permission value can be applied to the f
+ dit(bf(-o, --owner)) This option causes rsync to set the owner of the
+ destination file to be the same as the source file, but only if the
+ receiving rsync is being run as the super-user (see also the bf(--super)
+-option to force rsync to attempt super-user activities).
++and bf(--fake-super) options).
+ Without this option, the owner is set to the invoking user on the
+ receiving side.
+
+@@ -869,7 +870,7 @@ default, but may fall back to using the
+ dit(bf(--devices)) This option causes rsync to transfer character and
+ block device files to the remote system to recreate these devices.
+ This option has no effect if the receiving rsync is not run as the
+-super-user and bf(--super) is not specified.
++super-user (see also the bf(--super) and bf(--fake-super) options).
+
+ dit(bf(--specials)) This option causes rsync to transfer special files
+ such as named sockets and fifos.
+@@ -899,6 +900,33 @@ also for ensuring that you will get erro
being running as the super-user. To turn off super-user activities, the
super-user can use bf(--no-super).
-+dit(bf(--fake-super)) When this option is enabled, privileged attributes
-+are stored and recovered via a special extended attribute that is attached
-+to each file (as needed). This includes the file's owner and group (if it
-+is not the default), the file's device info (device & special files are
-+created as empty text files), and any permission bits that we won't allow
-+to be set on the real file (e.g. the real file gets u-s,g-s,o-t for safety)
-+or that would limit the owner's access (since the real super user can
-+always access a file or directory, the files we create can always be
-+accessed by the creating user too).
++dit(bf(--fake-super)) When this option is enabled, rsync simulates
++super-user activities by saving/restoring the privileged attributes via a
++special extended attribute that is attached to each file (as needed). This
++includes the file's owner and group (if it is not the default), the file's
++device info (device & special files are created as empty text files), and
++any permission bits that we won't allow to be set on the real file (e.g.
++the real file gets u-s,g-s,o-t for safety) or that would limit the owner's
++access (since the real super-user can always access/change a file or
++directory, the files we create can always be accessed/changed by the
++creating user).
+
+The bf(--fake-super) option only affects the side where the option is used.
+To affect the remote side of a remote-shell connection, specify an rsync
+
+quote(tt( rsync -av --rsync-path="rsync --fake-super" /src/ host:/dest/))
+
-+The bf(--fake-super) option affects both sides of a em(local) copy, so if
-+you want to affect only one side or the other, you'll need to turn the copy
-+into a remote copy to/from localhost. However, it's always safe to copy
-+from some non-fake-super files into some fake-super files using a normal
-+local copy since the non-fake source files will just have their normal
-+attributes.
++Since there is only one "side" in a local copy, this option affects both
++the sending and recieving of files. You'll need to specify a copy using
++"localhost" if you need to avoid this. Note, however, that it is always
++safe to copy from some non-fake-super files into some fake-super files
++using a local bf(--fake-super) command because the non-fake source files
++will just have their normal attributes.
+
+See also the "fake super" setting in the daemon's rsyncd.conf file.
++This option is overridden by both bf(--super) and bf(--no-super).
+
dit(bf(-S, --sparse)) Try to handle sparse files efficiently so they take
up less space on the destination. Conflicts with bf(--inplace) because it's
int preserve_perms = 0;
--- old/xattr.c
+++ new/xattr.c
-@@ -28,11 +28,15 @@
+@@ -28,11 +28,14 @@
extern int dry_run;
extern int read_only;
extern int list_only;
+extern int am_root;
-+extern mode_t orig_umask;
extern unsigned int file_struct_len;
#define RSYNC_XAL_INITIAL 5
typedef struct {
char *name;
char *datum;
-@@ -132,9 +136,15 @@ static int rsync_xal_get(const char *fna
+@@ -132,9 +135,15 @@ static int rsync_xal_get(const char *fna
if (name_size == 0)
return 0;
for (left = name_size, name = namebuf; left > 0 ; left -= len, name += len) {
datum_size = sys_lgetxattr(fname, name, NULL, 0);
if (datum_size < 0) {
if (errno == ENOTSUP)
-@@ -287,10 +297,19 @@ void receive_xattr(struct file_struct *f
+@@ -287,10 +296,19 @@ void receive_xattr(struct file_struct *f
out_of_memory("receive_xattr");
read_buf(f, ptr, name_len);
read_buf(f, ptr + name_len, datum_len);
#ifdef HAVE_OSX_XATTRS
if (strncmp(rxa->name, UNIQUE_PREFIX, UPRE_LEN) == 0) {
rxa->name_len -= UPRE_LEN;
-@@ -372,4 +391,146 @@ int set_xattr(const char *fname, const s
+@@ -372,4 +390,146 @@ int set_xattr(const char *fname, const s
return rsync_xal_set(fname, lst + ndx); /* TODO: This needs to return 1 if no xattrs changed! */
}
+ int mode, rdev_major, rdev_minor, uid, gid, len;
+ char buf[256];
+
-+ if (am_root >= 0)
++ if (am_root >= 0 || IS_DEVICE(fst->st_mode) || IS_SPECIAL(fst->st_mode))
+ return -1;
+
+ if (xst)
+ || xst.st_uid != file->uid || xst.st_gid != file->gid) {
+ char buf[256];
+ int len = snprintf(buf, sizeof buf, "%o %u,%u %u:%u",
-+ to_wire_mode(file->mode),
++ to_wire_mode(file->mode) & (_S_IFMT|CHMOD_BITS),
+ (int)major(rdev), (int)minor(rdev),
+ (int)file->uid, (int)file->gid);
+ if (sys_lsetxattr(fname, FAKE_XATTR, buf, len, 0) < 0) {