diff options
| author | Wayne Davison <wayne@opencoder.net> | 2020-06-11 18:47:43 -0700 |
|---|---|---|
| committer | Wayne Davison <wayne@opencoder.net> | 2020-06-11 20:26:56 -0700 |
| commit | de78dd685b60b4f138c48206500c24952ca66362 (patch) | |
| tree | 34e8235026c5815b51a17a940ce539ea9be792a5 | |
| parent | 88abb502297d9c27da7f856548d8eb08300e8aa2 (diff) | |
| download | rsync-de78dd685b60b4f138c48206500c24952ca66362.tar.gz | |
Simplify the install of rsync-ssl by unifying 2 scripts.
| -rw-r--r-- | Makefile.in | 2 | ||||
| -rw-r--r-- | NEWS.md | 13 | ||||
| -rw-r--r-- | packaging/lsb/rsync.spec | 1 | ||||
| -rwxr-xr-x | prepare-source | 6 | ||||
| -rwxr-xr-x | rsync-ssl | 174 | ||||
| -rw-r--r-- | rsync-ssl.1.md | 7 | ||||
| -rwxr-xr-x | ssl-rsh | 127 |
7 files changed, 169 insertions, 161 deletions
diff --git a/Makefile.in b/Makefile.in index a04bd157..792abbe7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -74,10 +74,8 @@ all: Makefile rsync$(EXEEXT) stunnel-rsyncd.conf man .PHONY: install install: all -${MKDIR_P} ${DESTDIR}${bindir} - -${MKDIR_P} ${DESTDIR}${libdir} ${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync$(EXEEXT) ${DESTDIR}${bindir} ${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir} - ${INSTALLCMD} -m 755 ssl-rsh ${DESTDIR}${libdir} -${MKDIR_P} ${DESTDIR}${mandir}/man1 -${MKDIR_P} ${DESTDIR}${mandir}/man5 if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi @@ -88,12 +88,13 @@ Protocol: 31 (unchanged) - Added the `--write-devices` option based on the long-standing patch. - - Added openssl support to the rsync-ssl script via a (lib installed) helper - script, ssl-rsh. Both bash scripts are now installed by default, removing - the install-ssl-client make target. Rsync was also enhanced to set the - `RSYNC_PORT` environment variable when running a daemon-over-rsh script. Its - value is the user-specified port number (set via `--port` or an rsync:// - URL) or 0 if the user didn't override the port. + - Added openssl support to the rsync-ssl script, which is now installed by + default. This script was unified with the stunnel-rsync helper script to + simplify packaging. + + - Rsync was enhanced to set the `RSYNC_PORT` environment variable when running + a daemon-over-rsh script. Its value is the user-specified port number (set + via `--port` or an rsync:// URL) or 0 if the user didn't override the port. - Added the `haproxy header` daemon parameter that allows your rsyncd to know the real remote IP when it is being proxied. diff --git a/packaging/lsb/rsync.spec b/packaging/lsb/rsync.spec index ea02c7e6..4f44db5c 100644 --- a/packaging/lsb/rsync.spec +++ b/packaging/lsb/rsync.spec @@ -70,7 +70,6 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/xinetd.d/rsync %{_prefix}/bin/rsync %{_prefix}/bin/rsync-ssl -%{_prefix}/lib/rsync/ssl-rsh %{_mandir}/man1/rsync.1* %{_mandir}/man1/rsync-ssl.1* %{_mandir}/man5/rsyncd.conf.5* diff --git a/prepare-source b/prepare-source index 3514a4c8..e4232408 100755 --- a/prepare-source +++ b/prepare-source @@ -31,13 +31,13 @@ for action in "${@}"; do else files='[cap]*' fi - rsync -ipe ./ssl-rsh rsync://download.samba.org/rsyncftp/generated-files/"$files" . + ./rsync-ssl -ip rsync://download.samba.org/rsyncftp/generated-files/"$files" . ;; fetchgen) - rsync -ipe ./ssl-rsh rsync://download.samba.org/rsyncftp/generated-files/'*' . + ./rsync-ssl -ip rsync://download.samba.org/rsyncftp/generated-files/'*' . ;; fetchSRC) - rsync -ipre ./ssl-rsh --exclude=/.git/ rsync://download.samba.org/ftp/pub/unpacked/rsync/ . + ./rsync-ssl -ipr --exclude=/.git/ rsync://download.samba.org/ftp/pub/unpacked/rsync/ . ;; *) echo "Unknown action: $action" @@ -1,23 +1,167 @@ #!/bin/bash + # This script supports using stunnel or openssl to secure an rsync daemon connection. -# The first option can be --type=stunnel or --type=openssl to choose your connection -# type (overriding any $RSYNC_SSL_TYPE default value). -if [[ "$1" == --type=* ]]; then - export RSYNC_SSL_TYPE="${1/--type=/}" +# By default this script takes rsync args and hands them off to the actual +# rsync command with an --rsh option that makes it open an SSL connection to an +# rsync daemon. See the rsync-ssl manpage for usage details and env variables. + +# When the first arg is --HELPER, we are being used by rsync as an --rsh helper +# script, and the args are (note the trailing dot): +# +# rsync-ssl --HELPER HOSTNAME rsync --server --daemon . +# +# --HELPER is not a user-facing option, so it is not documented in the manpage. + +# The first SSL setup was based on: http://dozzie.jarowit.net/trac/wiki/RsyncSSL +# Note that an stunnel connection requires at least version 4.x of stunnel. + +function rsync_ssl_run { + case "$*" in + *rsync://*) ;; + *::*) ;; + *) + echo "You must use rsync-ssl with a daemon-style hostname." 1>&2 + exit 1 + ;; + esac + + exec rsync --rsh="$0 --HELPER" "${@}" +} + +function rsync_ssl_helper { + if [[ -z "$RSYNC_SSL_TYPE" ]]; then + found=`path_search stunnel4 stunnel openssl` || exit 1 + if [[ "$found" == */openssl ]]; then + RSYNC_SSL_TYPE=openssl + RSYNC_SSL_OPENSSL="$found" + else + RSYNC_SSL_TYPE=stunnel + RSYNC_SSL_STUNNEL="$found" + fi + fi + + case "$RSYNC_SSL_TYPE" in + openssl) + if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then + RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1 + fi + optsep=' ' + ;; + stunnel) + if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then + RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1 + fi + optsep=' = ' + ;; + *) + echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2 + exit 1 + ;; + esac + + if [[ -z "$RSYNC_SSL_CERT" ]]; then + certopt="" + else + certopt="cert$optsep$RSYNC_SSL_CERT" + fi + + if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then + # RSYNC_SSL_CA_CERT unset - default CA set AND verify: + # openssl: + caopt="-verify_return_error -verify 4" + # stunnel: + cafile="" + verify=0 + elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then + # RSYNC_SSL_CA_CERT set but empty -do NO verifications: + # openssl: + caopt="-verify 1" + # stunnel: + cafile="" + verify=0 + else + # RSYNC_SSL_CA_CERT set - use CA AND verify: + # openssl: + caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4" + # stunnel: + cafile="CAfile = $RSYNC_SSL_CA_CERT" + verify=3 + fi + + port="${RSYNC_PORT:-0}" + if [[ "$port" == 0 ]]; then + port="${RSYNC_SSL_PORT:-874}" + fi + + # If the user specified USER@HOSTNAME::module, then rsync passes us + # the -l USER option too, so we must be prepared to ignore it. + if [[ "$1" == "-l" ]]; then + shift 2 + fi + + hostname="$1" shift -fi -case "$@" in -*rsync://*) ;; -*::*) ;; -*) - echo "You must use rsync-ssl with a daemon-style hostname." 1>&2 + if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then + echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2 + exit 1 + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then + exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port + else + # devzero@web.de came up with this no-tmpfile calling syntax: + exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&- +foreground = yes +debug = crit +connect = $hostname:$port +client = yes +TIMEOUTclose = 0 +verify = $verify +$certopt +$cafile +EOF + fi +} + +function path_search { + IFS_SAVE="$IFS" + IFS=: + for prog in "${@}"; do + for dir in $PATH; do + [[ -z "$dir" ]] && dir=. + if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then + echo "$dir/$prog" + IFS="$IFS_SAVE" + return 0 + fi + done + done + + IFS="$IFS_SAVE" + echo "Failed to find on your path: $*" 1>&2 + echo "See the rsync-ssl manpage for configuration assistance." 1>&2 + return 1 +} + +if [[ "$#" == 0 ]]; then + echo "Usage: rsync-ssl [--type=openssl|stunnel] RSYNC_OPTION [...]" 1>&2 exit 1 - ;; -esac +fi + +if [[ "$1" = --help || "$1" = -h ]]; then + exec rsync --help +fi -mydir="${0%/*}" -libdir="$mydir/../lib/rsync" +if [[ "$1" == --HELPER ]]; then + shift + rsync_ssl_helper "${@}" +fi + +if [[ "$1" == --type=* ]]; then + export RSYNC_SSL_TYPE="${1/--type=/}" + shift +fi -exec "$mydir/rsync" --rsh="$libdir/ssl-rsh" "${@}" +rsync_ssl_run "${@}" diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md index a57b5aca..c8def0fa 100644 --- a/rsync-ssl.1.md +++ b/rsync-ssl.1.md @@ -26,9 +26,6 @@ All the other options are passed through to the rsync command, so consult the Note that the stunnel connection type requires at least version 4 of stunnel, which should be the case on modern systems. -This script requires that a helper script named **ssl-rsh** be installed the -@LIBDIR@ dir so that rsync can use it as its remote-shell command. - # ENVIRONMENT VARIABLES The ssl helper scripts are affected by the following environment variables: @@ -58,10 +55,6 @@ The ssl helper scripts are affected by the following environment variables: > rsync-ssl --type=openssl -aiv example.com::src/ dest -# FILES - -@LIBDIR@/ssl-rsh - # SEE ALSO **rsync**(1), **rsyncd.conf**(5) diff --git a/ssl-rsh b/ssl-rsh deleted file mode 100755 index ea7b76c1..00000000 --- a/ssl-rsh +++ /dev/null @@ -1,127 +0,0 @@ -#!/bin/bash -# This must be called as (note the trailing dot): -# -# ssl-rsh HOSTNAME rsync --server --daemon . -# -# ... which is typically done via the rsync-ssl script, which results in something like this: -# -# rsync --rsh=/usr/lib/rsync/ssl-rsh -aiv HOSTNAME::module [ARGS] -# -# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL -# Note that an stunnel connection requires at least version 4.x of stunnel. - -# The environment can override our defaults using RSYNC_SSL_* variables. See `man rsync-ssl`. - -function path_search { - IFS_SAVE="$IFS" - IFS=: - for prog in "${@}"; do - for dir in $PATH; do - [[ -z "$dir" ]] && dir=. - if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then - echo "$dir/$prog" - IFS="$IFS_SAVE" - return 0 - fi - done - done - - IFS="$IFS_SAVE" - echo "Failed to find on your path: $*" 1>&2 - echo "See the rsync-ssl manpage for configuration assistance." 1>&2 - return 1 -} - -if [[ -z "$RSYNC_SSL_TYPE" ]]; then - found=`path_search stunnel4 stunnel openssl` || exit 1 - if [[ "$found" == */openssl ]]; then - RSYNC_SSL_TYPE=openssl - RSYNC_SSL_OPENSSL="$found" - else - RSYNC_SSL_TYPE=stunnel - RSYNC_SSL_STUNNEL="$found" - fi -fi - -case "$RSYNC_SSL_TYPE" in - openssl) - if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then - RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1 - fi - optsep=' ' - ;; - stunnel) - if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then - RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1 - fi - optsep=' = ' - ;; - *) - echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2 - exit 1 - ;; -esac - -if [[ -z "$RSYNC_SSL_CERT" ]]; then - certopt="" -else - certopt="cert$optsep$RSYNC_SSL_CERT" -fi - -if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then - # RSYNC_SSL_CA_CERT unset - default CA set AND verify: - # openssl: - caopt="-verify_return_error -verify 4" - # stunnel: - cafile="" - verify=0 -elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then - # RSYNC_SSL_CA_CERT set but empty -do NO verifications: - # openssl: - caopt="-verify 1" - # stunnel: - cafile="" - verify=0 -else - # RSYNC_SSL_CA_CERT set - use CA AND verify: - # openssl: - caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4" - # stunnel: - cafile="CAfile = $RSYNC_SSL_CA_CERT" - verify=3 -fi - -port="${RSYNC_PORT:-0}" -if [[ "$port" == 0 ]]; then - port="${RSYNC_SSL_PORT:-874}" -fi - -# If the user specified USER@HOSTNAME::module, then rsync passes us -# the -l USER option too, so we must be prepared to ignore it. -if [[ "$1" == "-l" ]]; then - shift 2 -fi - -hostname="$1" -shift - -if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then - echo "Usage: ssl-rsh HOSTNAME rsync --server --daemon ." 1>&2 - exit 1 -fi - -if [[ $RSYNC_SSL_TYPE == openssl ]]; then - exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port -else - # devzero@web.de came up with this no-tmpfile calling syntax: - exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&- -foreground = yes -debug = crit -connect = $hostname:$port -client = yes -TIMEOUTclose = 0 -verify = $verify -$certopt -$cafile -EOF -fi |