Enhanced authentication and authorization in rsyncd

Hi,

I added a few things to allow the rsync daemon more refined
authorization and authentication than the current implementation.
The attached patch file is against the 3.0.6 version.

Additions:
1. allow the uid and gid used to access a certain module to be
determined by the authenticated user -
    uid = __auth__ will use the auth_user's uid
    gid = __auth__ will use the auth user's main group's gid

2. seteuid and not just setuid

3. added "rw users" to allow read/write access to a module, "ro users"
to allow read only access to a module and "deny users".
    "read only" on the module overrides the user's authorization.

4. added support for groups - with a '@' prefix. For instance: "auth
users = tridge, susan, @rsync_users"

Authorization logic:
1. If the ACL contains a user-specific rule that matches the user,
then the user is granted rights according to this rule (including
denying access if the permission is none).
2. If the ACL contains a group-rule that denies access of a group the
user belongs to (permission=none), then access is denied.
3. If the ACL contains a group-rule that grants read/write access to a
group the user belongs to, then the user gets read/write access
4. If the ACL contains a group-rule that grants read-only access to a
group the user belongs to, then the user gets read-only access
5. The user is authorized access (for backward compatibility with
older rsync versions)

Please consider commiting this patch for future releases of rsync.

Thanks,
Amir


--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

A slightly better patch file (removed some warnings).


On Wed, Aug 26, 2009 at 5:52 PM, Amir Rapson<amir.rapson@...> wrote:

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

On Sun, Aug 30, 2009 at 12:06:21PM +0300, Amir Rapson wrote:
> A slightly better patch file (removed some warnings).

Thanks!  Sorry for the slow reply, but your patch looks very useful.
I'm reviewing it for inclusion in 3.1.0.

..wayne..
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

So, I've tweaked your patch, and you'll find the results in the git
version of rsync and (currently) in a patch.  Here are some details:

> 1. allow the uid and gid used to access a certain module to be
> determined by the authenticated user -
>     uid = __auth__ will use the auth_user's uid
>     gid = __auth__ will use the auth user's main group's gid

I changed this to use a new environment-variable expanding idiom in
the config file.  So, the above would be written like this:

    uid = %RSYNC_USER_NAME%
    gid = *

The "*" setting was an already-implemented feature in the git repo which
expands into the uid user's groups.

> 2. seteuid and not just setuid

Applied.

> 3. added "rw users" to allow read/write access to a module, "ro users"
> to allow read only access to a module and "deny users".  "read only"
> on the module overrides the user's authorization.
>
> 4. added support for groups - with a '@' prefix. For instance: "auth
> users = tridge, susan, @rsync_users"

I changed this to keep a single "auth users" setting, but did not commit
it to git (at least, not yet).  I created a patch named group-auth.diff,
which you can find here:

    http://gitweb.samba.org/?p=rsync-patches.git;a=tree

These patches apply to the current git-repo version of rsync.

In the group-auth patch you'll find your @group idiom for specifying a
group name (as in your patch, if the username is a real user, that
real-user's groups are compared against the @group items).  I changed
your ro, rw, and deny settings to be specified via suffixes.  For
example:

    auth user = joe:deny admin:rw @rsync:ro susan

This makes the logic very easy to figure out, since we just match each
item in order and go with the first match.  That makes the deny suffix's
job to override an authorization that would succeed in a later match.
In my patch, the module's "read only" setting is the default, and the
ro/rw suffix of the first matching rule overrides that value.  I also
added the ability to put a @group password in the secrets file, so if
you define "@rsync:secret", that lets anyone in the rsync group login
with that password (a group-matching rule looks for either a user
password or a group password, while a user-matching rule only looks
for a user password).

Potential backward incompatibility:  usernames used to be able to start
with a @ and (surprisingly, given the syntax of the secrets file) even
contain a colon.

If anyone likes/dislikes this, please feel free to comment.

..wayne..
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

On Tue 20 Oct 2009, Wayne Davison wrote:

> .  I changed
> your ro, rw, and deny settings to be specified via suffixes.  For
> example:

>     auth user = joe:deny admin:rw @rsync:ro susan

Nice!

> Potential backward incompatibility:  usernames used to be able to start
> with a @ and (surprisingly, given the syntax of the secrets file) even
> contain a colon.

A colon would have given problems already in *nix systems, think about
chown user:group file...

> If anyone likes/dislikes this, please feel free to comment.

I like it :)


Paul
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html