Am Do, den 07.07.2005 schrieb Michael Yep um 19:13: > I want to set up a rsync user on my server, but I would like to make it > as limited as possible. > I read some info about how to allow a user to only use sftp, but I am > unsure if this would be the same for rsync > > for sftp > > Add user as usually and assign him a password. Then run the following > command (replace the 'username' with real user name): > root@host # usermod -s /usr/lib/sftp-server username > This changes user's shell to sftp-server. That can be one step. Please see "-s <shell>" of the useradd command. > The last step for this to work is to add '/usr/lib/sftp-server' to > /etc/shells to make it a valid shell, eg. like this: > root@host # echo '/usr/lib/stfp-server' >> /etc/shells > There. Now you've setup a user who can only access your server with SFTP. > > Now how would I do this for rsync / ssh ? Setup an rsyncd and in /etc/rsyncd.conf set "read only = yes" for the directory the remote user is allowed to rsync. Using rsync through sshaccess, configure the sshd to allow only pubkey auth (which is generally a good idea) and edit the ~/.ssh/authorized_keys public key part of the user to be like command="rsync -avz /userdir" ssh-dss AAAAB...... You would need to "chattr +i" the authorized_keys file then to prevent the untrusted user to change the file. > Also is there any way possible to make the files that are uploaded not > removable / writable by this user? I don't understand what you mean by "files [...] uploaded". I thought you are speaking about single direction rsync only: client <-- server. To achieve read-only access you need a different solution. You may use following Perl script http://www.inwap.com/mybin/miscunix/?rrsync and set the authorized_keys file to look like command="rrsync -ro /userdir" ssh-dss AAAAB..... > I know they must be available for read access for rsync to do its diffs > / checksums. > Michael Yep Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 20:13:18 up 12 days, 3:05, load average: 0.14, 0.17, 0.11
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil