From 3ca8e68f58e7ffeac5b8b969ef26bffc2069f113 Mon Sep 17 00:00:00 2001 From: David Dykstra Date: Tue, 9 Feb 1999 19:27:15 +0000 Subject: [PATCH] Added "strict modes" option. When set false (default is true), it allows the secrets file to be readable by other users. Added to support the Windows port under cygwin. Problem reported by Martin Krumpolec krumpo@pobox.sk --- authenticate.c | 14 ++++++++------ loadparm.c | 4 ++++ rsyncd.conf.yo | 15 ++++++++++----- 3 files changed, 22 insertions(+), 11 deletions(-) diff --git a/authenticate.c b/authenticate.c index 885e40b6..50c10aae 100644 --- a/authenticate.c +++ b/authenticate.c @@ -87,12 +87,14 @@ static int get_secret(int module, char *user, char *secret, int len) if (do_stat(fname, &st) == -1) { rprintf(FERROR,"stat(%s) : %s\n", fname, strerror(errno)); ok = 0; - } else if ((st.st_mode & 06) != 0) { - rprintf(FERROR,"secrets file must not be other-accessible\n"); - ok = 0; - } else if (am_root && (st.st_uid != 0)) { - rprintf(FERROR,"secrets file must be owned by root when running as root\n"); - ok = 0; + } else if (lp_strict_modes(module)) { + if ((st.st_mode & 06) != 0) { + rprintf(FERROR,"secrets file must not be other-accessible (see strict modes option)\n"); + ok = 0; + } else if (am_root && (st.st_uid != 0)) { + rprintf(FERROR,"secrets file must be owned by root when running as root (see strict modes)\n"); + ok = 0; + } } if (!ok) { rprintf(FERROR,"continuing without secrets file\n"); diff --git a/loadparm.c b/loadparm.c index b87d24a6..074e6cbf 100644 --- a/loadparm.c +++ b/loadparm.c @@ -123,6 +123,7 @@ typedef struct char *hosts_deny; char *auth_users; char *secrets_file; + BOOL strict_modes; char *exclude; char *exclude_from; char *include; @@ -152,6 +153,7 @@ static service sDefault = NULL, /* hosts deny */ NULL, /* auth users */ NULL, /* secrets file */ + True, /* strict modes */ NULL, /* exclude */ NULL, /* exclude from */ NULL, /* include */ @@ -264,6 +266,7 @@ static struct parm_struct parm_table[] = {"hosts deny", P_STRING, P_LOCAL, &sDefault.hosts_deny, NULL, 0}, {"auth users", P_STRING, P_LOCAL, &sDefault.auth_users, NULL, 0}, {"secrets file", P_STRING, P_LOCAL, &sDefault.secrets_file,NULL, 0}, + {"strict modes", P_BOOL, P_LOCAL, &sDefault.strict_modes,NULL, 0}, {"exclude", P_STRING, P_LOCAL, &sDefault.exclude, NULL, 0}, {"exclude from", P_STRING, P_LOCAL, &sDefault.exclude_from,NULL, 0}, {"include", P_STRING, P_LOCAL, &sDefault.include, NULL, 0}, @@ -339,6 +342,7 @@ FN_LOCAL_STRING(lp_hosts_allow, hosts_allow) FN_LOCAL_STRING(lp_hosts_deny, hosts_deny) FN_LOCAL_STRING(lp_auth_users, auth_users) FN_LOCAL_STRING(lp_secrets_file, secrets_file) +FN_LOCAL_BOOL(lp_strict_modes, strict_modes) FN_LOCAL_STRING(lp_exclude, exclude) FN_LOCAL_STRING(lp_exclude_from, exclude_from) FN_LOCAL_STRING(lp_include, include) diff --git a/rsyncd.conf.yo b/rsyncd.conf.yo index 6024fe6c..5634d9e7 100644 --- a/rsyncd.conf.yo +++ b/rsyncd.conf.yo @@ -1,5 +1,5 @@ mailto(rsync-bugs@samba.org) -manpage(rsyncd.conf)(5)(21 Jan 1999)()() +manpage(rsyncd.conf)(5)(9 Feb 1999)()() manpagename(rsyncd.conf)(configuration file for rsync server) manpagesynopsis() @@ -211,10 +211,15 @@ can contain any characters but be warned that many operating systems limit the length of passwords that can be typed at the client end, so you may find that passwords longer than 8 characters don't work. -bf(You should make sure that the secrets file is not readable by anyone -other than the system administrator.) There is no default for the -"secrets file" option, you must choose a name (such as -tt(/etc/rsyncd.secrets)). +There is no default for the "secrets file" option, you must choose a name +(such as tt(/etc/rsyncd.secrets)). + +dit(bf(strict modes)) The "strict modes" option determines whether or not +the permissions on the secrets file will be checked. If "strict modes" is +true, then the secrets file must not be readable by any user id other +than the one that the rsync daemon is running under. If "strict modes" is +false, the check is not performed. The default is true. This option +was added to accommodate rsync running on the Windows operating system. dit(bf(hosts allow)) The "hosts allow" option allows you to specify a list of patterns that are matched against a connecting clients -- 2.34.1