On the server side, rsync is executed with the
--server command line option. In addition, when copying
files from the server, the --sender option is used. This
makes it possible to discern between incoming and outgoing requests.
In our setup, rsync is used the same way as scp, so
the two rules will be:
rule rsync-incoming
match $command ~ "^rsync --server" && \
$command !~ --sender && \
${-1} ~ "/incoming/" && ${-1} !~ "\\.\\./"
set [0] =~ "s|^|/usr/bin/|"
set [-1] =~ "s|^|/home/ftp/|"
rule rsync-home
match $command ~ "^rsync" && \
${-1} !~ "^[^/]" && \
${-1} !~ "\\.\\./"
set [0] = "s|^|/usr/bin/|"
set [-1] =~ "s|^|public_html/|"
chdir "~"
The trap rules for rsync are trivial:
rule rsync-to-trap match $command ~ "^rsync.*--sender" exit "Error: Downloads from this directory prohibited" rule rsync-from-trap match $command ~ "^rsync" exit "Error: Uploads to this directory prohibited"
This document was generated on January 2, 2022 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.