rsync as root (Was: [CentOS-mirror] New Mirror)
mirror-maintainer at mirror.averse.net
mirror-maintainer at mirror.averse.net
Wed Jul 30 01:46:44 UTC 2008
On Tue, 29 Jul 2008, Olivier Thauvin wrote:
>>> Your rsync user - don't run rsync as root! And don't run it as your
>>> web/ftp service account either.
>>
>> I can understand not running rsync in daemon mode as root but what is
>> the problem with running the rsync client as root?
>
> There is many reasons:
[snip]
Thanks Olivier. Although this question wasn't asked, I'd add a reason not
to run as the web/ftp service account, which is to ensure that the web/ftp
service is unable to access the content if it isn't world readable; eg
when content is made available to mirrors before public announcements, and
a permission bitflip is used to make the content available on the release
date.
Ironically, I do run rsync --daemon as root for a few reasons:
- use chroot=true
- listen on port 873
- specify per-module uid, gid
Admittedly, I could manually chroot the daemon to the entire mirror
tree before running it as a regular user, and I could do some port
forwarding or iptables stuff and run rsyncd on a high port, and use a
common nobody-like account for all modules...
What do you guys do?
More information about the CentOS-mirror
mailing list