1 mailto(rsync-bugs@samba.org)
2 manpage(rsyncd.conf)(5)(12 Feb 1999)()()
3 manpagename(rsyncd.conf)(configuration file for rsync server)
10 The rsyncd.conf file is the runtime configuration file for rsync when
11 run with the --daemon option. When run in this way rsync becomes a
12 rsync server listening on TCP port 873. Connections from rsync clients
13 are accepted for either anonymous or authenticated rsync sessions.
15 The rsyncd.conf file controls authentication, access, logging and
18 manpagesection(FILE FORMAT)
20 The file consists of modules and parameters. A module begins with the
21 name of the module in square brackets and continues until the next
22 module begins. Modules contain parameters of the form 'name = value'.
24 The file is line-based - that is, each newline-terminated line represents
25 either a comment, a module name or a parameter.
27 Only the first equals sign in a parameter is significant. Whitespace before
28 or after the first equals sign is discarded. Leading, trailing and internal
29 whitespace in module and parameter names is irrelevant. Leading and
30 trailing whitespace in a parameter value is discarded. Internal whitespace
31 within a parameter value is retained verbatim.
33 Any line beginning with a hash (#) is ignored, as are lines containing
36 Any line ending in a \ is "continued" on the next line in the
37 customary UNIX fashion.
39 The values following the equals sign in parameters are all either a string
40 (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or
41 true/false. Case is not significant in boolean values, but is preserved
44 manpagesection(LAUNCHING THE RSYNC DAEMON)
46 The rsync daemon is launched by specifying the --daemon option to
47 rsync. The daemon must run with root privileges.
49 You can launch it either via inetd or as a stand-alone daemon. If run
50 as a daemon then just run the command "rsync --daemon" from a suitable
53 When run via inetd you should add a line like this to /etc/services:
57 and a single line something like this to /etc/inetd.conf:
59 quote(rsync stream tcp nowait root /usr/bin/rsync rsyncd --daemon)
61 You will then need to send inetd a HUP signal to tell it to reread its
64 Note that you should not send the rsync server a HUP signal to force
65 it to reread the tt(/etc/rsyncd.conf). The file is re-read on each client
68 manpagesection(GLOBAL OPTIONS)
70 The first parameters in the file (before a [module] header) are the
73 You may also include any module parameters in the global part of the
74 config file in which case the supplied value will override the
75 default for that parameter.
78 dit(bf(motd file)) The "motd file" option allows you to specify a
79 "message of the day" to display to clients on each connect. This
80 usually contains site information and any legal notices. The default
83 dit(bf(log file)) The "log file" option tells the rsync daemon to log
84 messages to that file rather than using syslog. This is particularly
85 useful on systems (such as AIX) where syslog() doesn't work for
88 dit(bf(pid file)) The "pid file" option tells the rsync daemon to write
89 its process id to that file.
91 dit(bf(syslog facility)) The "syslog facility" option allows you to
92 specify the syslog facility name to use when logging messages from the
93 rsync server. You may use any standard syslog facility name which is
94 defined on your system. Common names are auth, authpriv, cron, daemon,
95 ftp, kern, lpr, mail, news, security, syslog, user, uucp, local0,
96 local1, local2, local3, local4, local5, local6 and local7. The default
99 dit(bf(socket options)) This option can provide endless fun for people
100 who like to tune their systems to the utmost degree. You can set all
101 sorts of socket options which may make transfers faster (or
102 slower!). Read the man page for the setsockopt() system call for
103 details on some of the options you may be able to set. By default no
104 special socket options are set.
109 manpagesection(MODULE OPTIONS)
111 After the global options you should define a number of modules, each
112 module exports a directory tree as a symbolic name. Modules are
113 exported by specifying a module name in square brackets [module]
114 followed by the options for that module.
118 dit(bf(comment)) The "comment" option specifies a description string
119 that is displayed next to the module name when clients obtain a list
120 of available modules. The default is no comment.
122 dit(bf(path)) The "path" option specifies the directory in the servers
123 filesystem to make available in this module. You must specify this option
124 for each module in tt(/etc/rsyncd.conf).
126 dit(bf(use chroot)) If "use chroot" is true, the rsync server will chroot
127 to the "path" before starting the file transfer with the client. This has
128 the advantage of extra protection against possible implementation security
129 holes, but it has the disadvantages of requiring super-user privileges and
130 of not being able to follow symbolic links outside of the new root path.
131 The default is to use chroot.
133 dit(bf(max connections)) The "max connections" option allows you to
134 specify the maximum number of simultaneous connections you will allow
135 to this module of your rsync server. Any clients connecting when the
136 maximum has been reached will receive a message telling them to try
137 later. The default is 0 which means no limit.
139 dit(bf(lock file)) The "lock file" option specifies the file to use to
140 support the "max connections" option. The rsync server uses record
141 locking on this file to ensure that the max connections limit is not
142 exceeded. The default is tt(/var/run/rsyncd.lock).
144 dit(bf(read only)) The "read only" option determines whether clients
145 will be able to upload files or not. If "read only" is true then any
146 attempted uploads will fail. If "read only" is false then uploads will
147 be possible if file permissions on the server allow them. The default
148 is for all modules to be read only.
150 dit(bf(list)) The "list" option determines if this module should be
151 listed when the client asks for a listing of available modules. By
152 setting this to false you can create hidden modules. The default is
153 for modules to be listable.
155 dit(bf(uid)) The "uid" option specifies the user name or user id that
156 file transfers to and from that module should take place as when the daemon
157 was run as root. In combination with the "gid" option this determines what
158 file permissions are available. The default is the user "nobody".
160 dit(bf(gid)) The "gid" option specifies the group name or group id that
161 file transfers to and from that module should take place as when the daemon
162 was run as root. This complements the "uid" option. The default is the
165 dit(bf(exclude)) The "exclude" option allows you to specify a space
166 separated list of patterns to add to the exclude list. This is equivalent
167 to the client specifying these patterns with the --exclude option. Only
168 one "exclude" option may be specified, but you can use "-" and "+" before
169 patterns to specify exclude/include.
171 Note that this option is not designed with strong security in
172 mind, it is quite possible that a client may find a way to bypass this
173 exclude list. If you want to absolutely ensure that certain files
174 cannot be accessed then use the uid/gid options in combination with
177 dit(bf(exclude from)) The "exclude from" option specifies a filename
178 on the server that contains exclude patterns, one per line. This is
179 equivalent to the client specifying the --exclude-from option with a
180 equivalent file. See also the note about security for the exclude
183 dit(bf(include)) The "include" option allows you to specify a space
184 separated list of patterns which rsync should not exclude. This is
185 equivalent to the client specifying these patterns with the --include
186 option. This is useful as it allows you to build up quite complex
187 exclude/include rules. Only one "include" option may be specified, but you
188 can use "+" and "-" before patterns to switch include/exclude.
190 See the section of exclude patterns in the rsync man page for information
191 on the syntax of this option.
193 dit(bf(include from)) The "include from" option specifies a filename
194 on the server that contains include patterns, one per line. This is
195 equivalent to the client specifying the --include-from option with a
198 dit(bf(auth users)) The "auth users" option specifies a comma
199 and space separated list of usernames that will be allowed to connect
200 to this module. The usernames do not need to exist on the local
201 system. If "auth users" is set then the client will be challenged to
202 supply a username and password to connect to the module. A challenge
203 response authentication protocol is used for this exchange. The plain
204 text usernames are passwords are stored in the file specified by the
205 "secrets file" option. The default is for all users to be able to
206 connect without a password (this is called "anonymous rsync").
208 dit(bf(secrets file)) The "secrets file" option specifies the name of
209 a file that contains the username:password pairs used for
210 authenticating this module. This file is only consulted if the "auth
211 users" option is specified. The file is line based and contains
212 username:password pairs separated by a single colon. Any line starting
213 with a hash (#) is considered a comment and is skipped. The passwords
214 can contain any characters but be warned that many operating systems
215 limit the length of passwords that can be typed at the client end, so
216 you may find that passwords longer than 8 characters don't work.
218 There is no default for the "secrets file" option, you must choose a name
219 (such as tt(/etc/rsyncd.secrets)).
221 dit(bf(strict modes)) The "strict modes" option determines whether or not
222 the permissions on the secrets file will be checked. If "strict modes" is
223 true, then the secrets file must not be readable by any user id other
224 than the one that the rsync daemon is running under. If "strict modes" is
225 false, the check is not performed. The default is true. This option
226 was added to accommodate rsync running on the Windows operating system.
228 dit(bf(hosts allow)) The "hosts allow" option allows you to specify a
229 list of patterns that are matched against a connecting clients
230 hostname and IP address. If none of the patterns match then the
231 connection is rejected.
233 Each pattern can be in one of five forms:
236 it() a dotted decimal IP address. In this case the incoming machines
237 IP address must match exactly.
239 it() a address/mask in the form a.b.c.d/n were n is the number of
240 one bits in in the netmask. All IP addresses which match the masked
241 IP address will be allowed in.
243 it() a address/mask in the form a.b.c.d/e.f.g.h where e.f.g.h is a
244 netmask in dotted decimal notation. All IP addresses which match the masked
245 IP address will be allowed in.
247 it() a hostname. The hostname as determined by a reverse lookup will
248 be matched (case insensitive) against the pattern. Only an exact
251 it() a hostname pattern using wildcards. These are matched using the
252 same rules as normal unix filename matching. If the pattern matches
253 then the client is allowed in.
256 You can also combine "hosts allow" with a separate "hosts deny"
257 option. If both options are specified then the "hosts allow" option s
258 checked first and a match results in the client being able to
259 connect. The "hosts deny" option is then checked and a match means
260 that the host is rejected. If the host does not match either the
261 "hosts allow" or the "hosts deny" patterns then it is allowed to
264 The default is no "hosts allow" option, which means all hosts can connect.
266 dit(bf(hosts deny)) The "hosts deny" option allows you to specify a
267 list of patterns that are matched against a connecting clients
268 hostname and IP address. If the pattern matches then the connection is
269 rejected. See the "hosts allow" option for more information.
271 The default is no "hosts deny" option, which means all hosts can connect.
273 dit(bf(transfer logging)) The "transfer logging" option enables per-file
274 logging of downloads and uploads in a format somewhat similar to that
275 used by ftp daemons. If you want to customize the log formats look at
276 the log format option.
278 dit(bf(log format)) The "log format" option allows you to specify the
279 format used for logging file transfers when transfer logging is
280 enabled. The format is a text string containing embedded single
281 character escape sequences prefixed with a percent (%) character.
283 The prefixes that are understood are:
286 it() %h for the remote host name
287 it() %a for the remote IP address
288 it() %l for the length of the file in bytes
289 it() %p for the process id of this rsync session
290 it() %o for the operation, which is either "send" or "recv"
291 it() %f for the filename
292 it() %P for the module path
293 it() %m for the module name
294 it() %t for the current date time
295 it() %u for the authenticated username (or the null string)
296 it() %b for the number of bytes actually transferred
297 it() %c when sending files this gives the number of checksum bytes
298 received for this file
301 The default log format is "%o %h [%a] %m (%u) %f %l", and a "%t [%p] "
302 is always added to the beginning when using the "log file" option.
304 A perl script called rsyncstats to summarize this format is included
305 in the rsync source code distribution.
307 dit(bf(timeout)) The "timeout" option allows you to override the
308 clients choice for IO timeout for this module. Using this option you
309 can ensure that rsync won't wait on a dead client forever. The timeout
310 is specified in seconds. A value of zero means no timeout and is the
311 default. A good choice for anonymous rsync servers may be 600 (giving
312 a 10 minute timeout).
314 dit(bf(refuse options)) The "refuse options" option allows you to
315 specify a space separated list of rsync command line options that will
316 be refused by your rsync server. The full names of the options must be
317 used (i.e., you must use "checksum" not "c" to disable checksumming).
318 When an option is refused, the server prints an error message and exits.
319 To prevent all compression, you can use "dont compress = *" (see below)
320 instead of "refuse options = compress" to avoid returning an error to a
321 client that requests compression.
323 dit(bf(dont compress)) The "dont compress" option allows you to select
324 filenames based on wildcard patterns that should not be compressed
325 during transfer. Compression is expensive in terms of CPU usage so it
326 is usually good to not try to compress files that won't compress well,
327 such as already compressed files.
329 The "dont compress" option takes a space separated list of
330 case-insensitive wildcard patterns. Any source filename matching one
331 of the patterns will not be compressed during transfer.
333 The default setting is verb(*.gz *.tgz *.zip *.z *.rpm *.deb)
337 manpagesection(AUTHENTICATION STRENGTH)
339 The authentication protocol used in rsync is a 128 bit MD4 based
340 challenge response system. Although I believe that no one has ever
341 demonstrated a brute-force break of this sort of system you should
342 realize that this is not a "military strength" authentication system.
343 It should be good enough for most purposes but if you want really top
344 quality security then I recommend that you run rsync over ssh.
346 Also note that the rsync server protocol does not currently provide any
347 encryption of the data that is transferred over the link. Only
348 authentication is provided. Use ssh as the transport if you want
351 Future versions of rsync may support SSL for better authentication and
352 encryption, but that is still being investigated.
354 manpagesection(EXAMPLES)
356 A simple rsyncd.conf file that allow anonymous rsync to a ftp area at
357 tt(/home/ftp) would be:
362 comment = ftp export area
366 A more sophisticated example would be:
371 max connections = 4 nl()
372 syslog facility = local5 nl()
373 pid file = /etc/rsyncd.pid
377 comment = whole ftp area (approx 6.1 GB)
380 path = /var/ftp/pub/samba
381 comment = Samba ftp area (approx 300 MB)
384 path = /var/ftp/pub/rsync
385 comment = rsync ftp area (approx 6 MB)
388 path = /public_html/samba
389 comment = Samba WWW pages (approx 240 MB)
393 comment = CVS repository (requires authentication)
394 auth users = tridge, susan
395 secrets file = /etc/rsyncd.secrets
398 The /etc/rsyncd.secrets file would look something like this:
415 The rsync server does not send all types of error messages to the
416 client. this means a client may be mystified as to why a transfer
417 failed. The error will have been logged by syslog on the server.
419 Please report bugs! The rsync bug tracking system is online at
420 url(http://rsync.samba.org/)(http://rsync.samba.org/)
422 manpagesection(VERSION)
423 This man page is current for version 2.0 of rsync
425 manpagesection(CREDITS)
427 rsync is distributed under the GNU public license. See the file
430 The primary ftp site for rsync is
431 url(ftp://rsync.samba.org/pub/rsync)(ftp://rsync.samba.org/pub/rsync).
433 A WEB site is available at
434 url(http://rsync.samba.org/)(http://rsync.samba.org/)
436 We would be delighted to hear from you if you like this program.
438 This program uses the zlib compression library written by Jean-loup
439 Gailly and Mark Adler.
441 manpagesection(THANKS)
443 Thanks to Warren Stanley for his original idea and patch for the rsync
444 server. Thanks to Karsten Thygesen for his many suggestions and
449 rsync was written by Andrew Tridgell and Paul Mackerras. They may be
450 contacted via email at tridge@samba.org and
451 Paul.Mackerras@cs.anu.edu.au