mailto(rsync-bugs@samba.org)
-manpage(rsyncd.conf)(5)(10 Feb 2008)()()
+manpage(rsyncd.conf)(5)(3 Apr 2008)()()
manpagename(rsyncd.conf)(configuration file for rsync in daemon mode)
manpagesynopsis()
of not being able to follow symbolic links that are either absolute or outside
of the new root path, and of complicating the preservation of users and groups
by name (see below).
-When "use chroot" is false, rsync will: (1) munge symlinks by
+
+As an additional safety feature, you can specify a dot-dir in the module's
+"path" to indicate the point where the chroot should occur. This allows rsync
+to run in a chroot with a non-"/" path for the top of the transfer hierarchy.
+Doing this guards against unintended library loading (since those absolute
+paths will not be inside the transfer hierarchy unless you have used an unwise
+pathname), and lets you setup libraries for the chroot that are outside of the
+transfer. For example, specifying "/var/rsync/./module1" will chroot to the
+"/var/rsync" directory and set the inside-chroot path to "/module1". If you
+had omitted the dot-dir, the chroot would have used the whole path, and the
+inside-chroot path would have been "/".
+
+When "use chroot" is false or the inside-chroot path is not "/", rsync will:
+(1) munge symlinks by
default for security reasons (see "munge symlinks" for a way to turn this
off, but only if you trust your users), (2) substitute leading slashes in
absolute paths with the module's path (so that options such as
bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as
rooted in the module's "path" dir), and (3) trim ".." path elements from
-args if rsync believes they would escape the chroot.
+args if rsync believes they would escape the module hierarchy.
The default for "use chroot" is true, and is the safer choice (especially
if the module is not read-only).
all incoming symlinks in a way that makes them unusable but recoverable
(see below). This should help protect your files from user trickery when
your daemon module is writable. The default is disabled when "use chroot"
-is on and enabled when "use chroot" is off.
+is on and the inside-chroot path is "/", otherwise it is enabled.
If you disable this option on a daemon that is not read-only, there
are tricks that a user can play with uploaded symlinks to access
the string "/rsyncd-munged/". This prevents the links from being used
as long as that directory does not exist. When this option is enabled,
rsync will refuse to run if that path is a directory or a symlink to
-a directory. When using the "munge symlinks" option in a chroot area,
-you should add this path to the exclude setting for the module so that
+a directory. When using the "munge symlinks" option in a chroot area
+that has an inside-chroot path of "/", you should add "/rsyncd-munged/"
+to the exclude setting for the module so that
a user can't try to create it.
Note: rsync makes no attempt to verify that any pre-existing symlinks in
of the source code named "munge-symlinks" that can be used to add or remove
this prefix from your symlinks.
-When this option is disabled on a writable module and "use chroot" is off,
+When this option is disabled on a writable module and "use chroot" is off
+(or the inside-chroot path is not "/"),
incoming symlinks will be modified to drop a leading slash and to remove ".."
path elements that rsync believes will allow a symlink to escape the module's
hierarchy. There are tricky ways to work around this, though, so you had
been specified. This allows the full attributes of a file to be stored
without having to have the daemon actually running as root.
-dit(bf(filter)) The "filter" option allows you to specify a space-separated
-list of filter rules that the daemon will not allow to be read or written.
-This is only superficially equivalent to the client specifying these
-patterns with the bf(--filter) option. Only one "filter" option may be
-specified, but it may contain as many rules as you like, including
-merge-file rules. Note that per-directory merge-file rules do not provide
-as much protection as global rules, but they can be used to make bf(--delete)
-work better when a client downloads the daemon's files (if the per-dir
-merge files are included in the transfer).
-
-dit(bf(exclude)) The "exclude" option allows you to specify a
-space-separated list of patterns that the daemon will not allow to be read
-or written. This is only superficially equivalent to the client
-specifying these patterns with the bf(--exclude) option. Only one "exclude"
-option may be specified, but you can use "-" and "+" before patterns to
-specify exclude/include.
-
-Because this exclude list is not passed to the client it only applies on
-the daemon: that is, it excludes files received by a client when receiving
-from a daemon and files deleted on a daemon when sending to a daemon, but
-it doesn't exclude files from being deleted on a client when receiving
-from a daemon.
-
-When you want to exclude a directory and all its contents, it is safest to
-use a rule that does both, such as "/some/dir/***" (the three stars tells
-rsync to exclude the directory itself and everything inside it). This is
-better than just excluding the directory alone with "/some/dir/", as it
-helps to guard against attempts to trick rsync into accessing files deeper
-in the hierarchy.
-
-dit(bf(exclude from)) The "exclude from" option specifies a filename
-on the daemon that contains exclude patterns, one per line.
-This is only superficially equivalent
-to the client specifying the bf(--exclude-from) option with an equivalent file.
-See the "exclude" option above.
-
-dit(bf(include)) The "include" option allows you to specify a
-space-separated list of patterns which rsync should not exclude. This is
-only superficially equivalent to the client specifying these patterns with
-the bf(--include) option because it applies only on the daemon. This is
-useful as it allows you to build up quite complex exclude/include rules.
-Only one "include" option may be specified, but you can use "+" and "-"
-before patterns to switch include/exclude. See the "exclude" option
-above.
-
-dit(bf(include from)) The "include from" option specifies a filename
-on the daemon that contains include patterns, one per line. This is
-only superficially equivalent to the client specifying the
-bf(--include-from) option with a equivalent file.
-See the "exclude" option above.
+dit(bf(filter)) The daemon has its own filter chain that determines what files
+it will let the client access. This chain is not sent to the client and is
+independent of any filters the client may have specified. Files excluded by
+the daemon filter chain (bf(daemon-excluded) files) are treated as non-existent
+if the client tries to pull them, are skipped with an error message if the
+client tries to push them (triggering exit code 23), and are never deleted from
+the module. You can use daemon filters to prevent clients from downloading or
+tampering with private administrative files, such as files you may add to
+support uid/gid name translations.
+
+The daemon filter chain is built from the "filter", "include from", "include",
+"exclude from", and "exclude" parameters, in that order of priority. Anchored
+patterns are anchored at the root of the module. To prevent access to an
+entire subtree, for example, "/secret", you em(must) exclude everything in the
+subtree; the easiest way to do this is with a triple-star pattern like
+"/secret/***".
+
+The "filter" parameter takes a space-separated list of daemon filter rules,
+though it is smart enough to know not to split a token at an internal space in
+a rule (e.g. "- /foo - /bar" is parsed as two rules). You may specify one or
+more merge-file rules using the normal syntax. Only one "filter" parameter can
+apply to a given module in the config file, so put all the rules you want in a
+single parameter. Note that per-directory merge-file rules do not provide as
+much protection as global rules, but they can be used to make bf(--delete) work
+better during a client download operation if the per-dir merge files are
+included in the transfer and the client requests that they be used.
+
+dit(bf(exclude)) The "exclude" parameter takes a space-separated list of daemon
+exclude patterns. As with the client bf(--exclude) option, patterns can be
+qualified with "- " or "+ " to explicitly indicate exclude/include. Only one
+"exclude" parameter can apply to a given module. See the "filter" parameter
+for a description of how excluded files affect the daemon.
+
+dit(bf(include)) Use an "include" to override the effects of the "exclude"
+parameter. Only one "include" parameter can apply to a given module. See the
+"filter" parameter for a description of how excluded files affect the daemon.
+
+dit(bf(exclude from)) The "exclude from" parameter specifies the name of a file
+on the daemon that contains daemon exclude patterns, one per line. Only one
+"exclude from" parameter can apply to a given module; if you have multiple
+exclude-from files, you can specify them as a merge file in the "filter"
+parameter. See the "filter" parameter for a description of how excluded files
+affect the daemon.
+
+dit(bf(include from)) Analogue of "exclude from" for a file of daemon include
+patterns. Only one "include from" parameter can apply to a given module. See
+the "filter" parameter for a description of how excluded files affect the
+daemon.
dit(bf(incoming chmod)) This option allows you to specify a set of
comma-separated chmod strings that will affect the permissions of all
)
You can also combine "hosts allow" with a separate "hosts deny"
-option. If both options are specified then the "hosts allow" option s
+option. If both options are specified then the "hosts allow" option is
checked first and a match results in the client being able to
connect. The "hosts deny" option is then checked and a match means
that the host is rejected. If the host does not match either the
verb(
uid = nobody
gid = nobody
-use chroot = no
+use chroot = yes
max connections = 4
syslog facility = local5
pid file = /var/run/rsyncd.pid
[ftp]
- path = /var/ftp/pub
+ path = /var/ftp/./pub
comment = whole ftp area (approx 6.1 GB)
[sambaftp]
- path = /var/ftp/pub/samba
+ path = /var/ftp/./pub/samba
comment = Samba ftp area (approx 300 MB)
[rsyncftp]
- path = /var/ftp/pub/rsync
+ path = /var/ftp/./pub/rsync
comment = rsync ftp area (approx 6 MB)
[sambawww]
manpagesection(VERSION)
-This man page is current for version 3.0.0pre9 of rsync.
+This man page is current for version 3.0.1 of rsync.
manpagesection(CREDITS)
Matt McCutchen's Web Site / rsync / rsync.git / blobdiff