Using rsync to create a limited ability to write remote files

rsync · 2024-09-08T19:16:39.000000Z

There is a mistake that some people make when pointing simple rsync jobs to us - they preserve ownership but send files owned by root.

This actually works… They successfully back up their files to their account with 0:0 ownership.

But, of course, they are not root on our end so they either lose the ability to write or change the files… Or they lose the ability to read them at all.

The easy solution is this neat rsync argument —fake-super … but I guess you could make this mistake on purpose with permissions that allowed read access to all … and successfully create write once, read, only backups…

saurik · 2024-09-09T00:39:40.000000Z

I am extremely confused by this, as this seems like at least a bug if not a security issue. If I am not running as root on your server, how am I getting files owned by root at all? A normal user can't just hand files to root, for a number of good reasons. As far as I remember, the behavior of rsync -a if the other side is not running as root is that it just doesn't save the ownership (as opposed to error; "work but the files are owned by root and can no longer be read" is not an option).

Maybe you have made some kind of special dispensation for this, as it would improve the situation for backup purposes, but then it would seem like you got it wrong in a way which I would find super confusing; and, like, are you saying any files owned by users other than root but with other elevated use are fine?

rsync · 2024-09-09T06:52:42.000000Z

Forgive me ... my lead engineer has rebuked me for mis-remembering this ...

It wasn't people preserving ownership and creating 0:0 files, it was people preserving permissions and sending us chmod 0000 files.

They were root on their end so their broken permissions worked but as soon as they hit their rsync.net filesystem, the 0000 permission meant they could no longer read it.

I think my original idea is still possible: you could do this on purpose (perhaps with 0400 permissions) and create write-once backups on any remote rsync host.

xk3 · 2024-09-09T15:50:49.000000Z

hmm this still seems like a bug to me. File ownership and file permissions are a filesystem construct. Whether you use chmod 777 or 755 doesn't change a file's md5sum, for example. It's up to your service to not apply file permissions that don't make sense. If backups are write-only with no mechanism for reading they may as well be to /dev/null

rsync · 2024-09-10T17:02:19.000000Z

No, not a bug.

We don't have an app or an interface - it's just, as you say, a filesystem and there aren't any real guardrails. If your source files are 0000 and you 'rsync -a' you will achieve just that.

As for the original thought experiment, a one way chute for information that you can retrieve out of band is kind of interesting ... so Mallory can't gain anything with your credentials because you intentionally mis-wrote your backups but, of course, you could still formally attest your identity and retrieve them from (whatever organization).

Again, just a thought experiment.

lxgr · 2024-09-09T00:28:53.000000Z

Now that you mention preserving ownership: Does rsync preserve setuid and setgid by default?

I could imagine that being unexpected at times (and if it is, it's yet another argument in favor of --fake-super!)

jraph · 2024-09-08T21:23:27.000000Z

> But, of course, they are not root on our end

Could this be made possible using something like user namespaces / containers with their own hostnames?

Vecr · 2024-09-09T20:55:17.000000Z

Linux sometimes has "trouble" (security bugs) distinguishing real root and container root, so I wouldn't suggest it.

jraph · 2024-09-10T07:06:25.000000Z

Can I read more about this? Wouldn't these security bugs quickly fixed?

Containers have been widespread for quite some time now (Docker was first released in 2013, more than a decade ago) and this would seem like a basic bug. I'm willing to believe the kernel was buggy back then, but I would expect it is more robust now.

Vecr · 2024-09-11T05:46:48.000000Z

https://duckduckgo.com/?t=ffab&q=Linux+user+namespace+vulner...

There's been several. And I wouldn't be surprised if more are still there, or more get introduced.

Denvercoder9 · 2024-09-08T20:08:04.000000Z

Instead of writing out "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty" in the authorized_keys file; you can use the "restrict" keyword to enable all current and future restrictions.

evilDagmar · 2024-09-07T22:05:10.000000Z

Absolutely. I have used the heck out of this on systems since I found out about rrsync.pl and read through the code to make sure it was using a solid approach.

With a quick keypair generation one can quickly deploy read-only (and probably write-only although I've never tried that) access to select parts of a filesystem and do selective near-line backups of important files into a "history" host of sorts, and even leverage rsync's ability to use hardlinks in place of files that have not changed since the last run so no space is needlessly wasted backing up 400 copies of the same thing.

It was wonderful that I didn't have to write such a wrapper myself.

faangguyindia · 2024-09-09T01:12:26.000000Z

I mostly use ssh for file transfer because rsync has too many flags.

Unless my script going live long enough i don't use rsync.

My habit has changed since I started using rsync completion:

https://asciinema.org/a/mktcuXSPDTr2Mp1XVbo5tqhK1

Thing is you just need to write what you want rsync to do in English and it will generate all the appropriate flags for rsync.

cyrnel · 2024-09-09T04:14:01.000000Z

I wish sftp had something similar. Seems easy to implement as an extra flag to sftp-server: https://man.openbsd.org/sftp-server

If done correctly, it could allow you to perform restic backups and restores without granting the ability to delete backups.

therein · 2024-09-08T18:14:45.000000Z

Didn't know this existed, useful to know for sure.

I am guessing one would want to disable the Sftp subsystem for SSH too.