the advantage of extra protection against possible implementation security
holes, but it has the disadvantages of requiring super-user privileges and
of not being able to follow symbolic links outside of the new root path
-when reading. For writing when "use chroot" is false, for security reasons
+when reading. When "use chroot" is false, for security reasons
symlinks may only be relative paths pointing to other files within the
root path, and leading slashes are removed from absolute paths. The
default for "use chroot" is true.
dit(bf(uid)) The "uid" option specifies the user name or user id that
file transfers to and from that module should take place as when the daemon
was run as root. In combination with the "gid" option this determines what
-file permissions are available. The default is the user "nobody".
+file permissions are available. The default is uid -2, which is normally
+the user "nobody".
dit(bf(gid)) The "gid" option specifies the group name or group id that
file transfers to and from that module should take place as when the daemon
-was run as root. This complements the "uid" option. The default is the
-group "nobody".
+was run as root. This complements the "uid" option. The default is gid -2,
+which is normally the group "nobody".
dit(bf(exclude)) The "exclude" option allows you to specify a space
-separated list of patterns to add to the exclude list. This is
-equivalent to the client specifying these patterns with the --exclude
-option except that the exclude list is not passed to the client and
-thus only apply on the server. Only one "exclude" option may be
-specified, but you can use "-" and "+" before patterns to specify
-exclude/include.
+separated list of patterns to add to the exclude list. This is equivalent
+to the client specifying these patterns with the --exclude option, except
+that the exclude list is not passed to the client and thus only applies on
+the server: that is, it excludes files received by a client when receiving
+from a server and files deleted on a server when sending to a server, but
+it doesn't exclude files sent from a client when sending to a server or
+files deleted on a client when receiving from a server.
+Only one "exclude" option may be specified, but
+you can use "-" and "+" before patterns to specify exclude/include.
Note that this option is not designed with strong security in
mind, it is quite possible that a client may find a way to bypass this
dit(bf(exclude from)) The "exclude from" option specifies a filename
on the server that contains exclude patterns, one per line. This is
equivalent to the client specifying the --exclude-from option with a
-equivalent file except that the resulting exclude patterns are not
-passed to the client and thus only apply on the server. See also the
-note about security for the exclude option above.
+equivalent file except that it applies only on the server. See also
+the "exclude" option above.
dit(bf(include)) The "include" option allows you to specify a space
separated list of patterns which rsync should not exclude. This is
equivalent to the client specifying these patterns with the --include
-option. This is useful as it allows you to build up quite complex
-exclude/include rules. Only one "include" option may be specified, but you
-can use "+" and "-" before patterns to switch include/exclude.
-
-See the section of exclude patterns in the rsync man page for information
-on the syntax of this option.
+option except that it applies only on the server. This is useful as it
+allows you to build up quite complex exclude/include rules. Only one
+"include" option may be specified, but you can use "+" and "-" before
+patterns to switch include/exclude. See also the "exclude" option above.
dit(bf(include from)) The "include from" option specifies a filename
on the server that contains include patterns, one per line. This is
equivalent to the client specifying the --include-from option with a
-equivalent file.
-
-dit(bf(auth users)) The "auth users" option specifies a comma
-and space separated list of usernames that will be allowed to connect
-to this module. The usernames do not need to exist on the local
-system. If "auth users" is set then the client will be challenged to
-supply a username and password to connect to the module. A challenge
-response authentication protocol is used for this exchange. The plain
-text usernames are passwords are stored in the file specified by the
+equivalent file except that it applies only on the server. See also
+the "exclude" option above.
+
+dit(bf(auth users)) The "auth users" option specifies a comma and
+space separated list of usernames that will be allowed to connect to
+this module. The usernames do not need to exist on the local
+system. The usernames may also contain shell wildcard characters. If
+"auth users" is set then the client will be challenged to supply a
+username and password to connect to the module. A challenge response
+authentication protocol is used for this exchange. The plain text
+usernames are passwords are stored in the file specified by the
"secrets file" option. The default is for all users to be able to
connect without a password (this is called "anonymous rsync").
you may find that passwords longer than 8 characters don't work.
There is no default for the "secrets file" option, you must choose a name
-(such as tt(/etc/rsyncd.secrets)).
+(such as tt(/etc/rsyncd.secrets)). The file must normally not be readable
+by "other"; see "strict modes".
dit(bf(strict modes)) The "strict modes" option determines whether or not
the permissions on the secrets file will be checked. If "strict modes" is
use chroot = no nl()
max connections = 4 nl()
syslog facility = local5 nl()
-pid file = /etc/rsyncd.pid
+pid file = /var/run/rsyncd.pid
verb([ftp]
path = /var/ftp/pub
Matt McCutchen's Web Site / rsync / rsync.git / blobdiff