Support rsync daemon over SSL via stunnel.

Added the client rsync-ssl script and various client/daemon support files needed for talking to an rsync daemon over SSL on port 874 (no tls support). This uses an elegant stunnel setup that was detailed by dozzie (see the resources page) now that stunnel4 has improved command-spawning support. Also incorporates some tweaks by devzero (e.g. the nice no-tmpfile-config client-side code) and a few by me (including logging of the actual remote IP that came in to the stunnel process). This probably still needs a little work.

Support rsync daemon over SSL via stunnel.
Added the client rsync-ssl script and various client/daemon support files needed for talking to an rsync daemon over SSL on port 874 (no tls support). This uses an elegant stunnel setup that was detailed by dozzie (see the resources page) now that stunnel4 has improved command-spawning support. Also incorporates some tweaks by devzero (e.g. the nice no-tmpfile-config client-side code) and a few by me (including logging of the actual remote IP that came in to the stunnel process). This probably still needs a little work.
70d4a945 · Wayne Davison · 0488a14b · 70d4a945 · 70d4a945 · 70d4a945
Commit 70d4a945 authored Jun 15, 2013 by Wayne Davison
8 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,9 @@ config.status
 /getgroups
 /gmon.out
 /rsync
+/rsync-ssl
+/stunnel-rsync
+/stunnel-rsyncd.conf
 /shconfig
 /testdir
 /tests-dont-exist

--- a/Makefile.in
+++ b/Makefile.in
@@ -4,6 +4,7 @@
 prefix=@prefix@
 datarootdir=@datarootdir@
 exec_prefix=@exec_prefix@
+stunnel4=@STUNNEL4@
 bindir=@bindir@
 mandir=@mandir@

@@ -18,6 +19,7 @@ INSTALLCMD=@INSTALL@
 INSTALLMAN=@INSTALL@

 srcdir=@srcdir@
+MKDIR_P=@MKDIR_P@
 VPATH=$(srcdir)
 SHELL=/bin/sh

@@ -60,16 +62,30 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.
 	$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
 @OBJ_RESTORE@

-all: Makefile rsync$(EXEEXT) @MAKE_MAN@
+all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@

 install: all
-	-mkdir -p ${DESTDIR}${bindir}
+	-${MKDIR_P} ${DESTDIR}${bindir}
 	${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync$(EXEEXT) ${DESTDIR}${bindir}
-	-mkdir -p ${DESTDIR}${mandir}/man1
-	-mkdir -p ${DESTDIR}${mandir}/man5
+	-${MKDIR_P} ${DESTDIR}${mandir}/man1
+	-${MKDIR_P} ${DESTDIR}${mandir}/man5
 	if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
 	if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi

+install-ssl-client: rsync-ssl stunnel-rsync
+	-${MKDIR_P} ${DESTDIR}${bindir}
+	${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync-ssl ${DESTDIR}${bindir}
+	${INSTALLCMD} ${INSTALL_STRIP} -m 755 stunnel-rsync ${DESTDIR}${bindir}
+
+install-ssl-daemon: stunnel-rsyncd.conf
+	-${MKDIR_P} ${DESTDIR}/etc/stunnel
+	${INSTALLCMD} ${INSTALL_STRIP} -m 644 stunnel-rsyncd.conf ${DESTDIR}/etc/stunnel/rsyncd.conf
+	@if ! ls /etc/rsync-ssl/certs/server.* >/dev/null 2>/dev/null; then \
+	    echo "Note that you'll need to install the certificate used by /etc/stunnel/rsyncd.conf"; \
+	fi
+
+install-all: install install-ssl-client install-ssl-daemon
+
 install-strip:
 	$(MAKE) INSTALL_STRIP='-s' install

@@ -173,6 +189,17 @@ Makefile: Makefile.in config.status configure.sh config.h.in
 	    fi \
 	fi

+rsync-ssl: $(srcdir)/rsync-ssl.in Makefile
+	sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl
+	@chmod +x rsync-ssl
+
+stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile
+	sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync
+	@chmod +x stunnel-rsync
+
+stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile
+	sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf
+
 proto: proto.h-tstamp

 proto.h: proto.h-tstamp
@@ -207,6 +234,7 @@ cleantests:
 # the source directory.
 distclean: clean
 	rm -f Makefile config.h config.status
+	rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf
 	rm -f lib/dummy popt/dummy zlib/dummy
 	rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status
 	rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy

--- a/clientname.c
+++ b/clientname.c
@@ -41,7 +41,6 @@ char *client_addr(int fd)
 	static int initialised;
 	struct sockaddr_storage ss;
 	socklen_t length = sizeof ss;
-	char *ssh_info, *p;

 	if (initialised)
 		return addr_buf;
@@ -49,11 +48,14 @@ char *client_addr(int fd)
 	initialised = 1;

 	if (am_server) {	/* daemon over --rsh mode */
+		char *env_str;
 		strlcpy(addr_buf, "0.0.0.0", sizeof addr_buf);
-		if ((ssh_info = getenv("SSH_CONNECTION")) != NULL
-		    || (ssh_info = getenv("SSH_CLIENT")) != NULL
-		    || (ssh_info = getenv("SSH2_CLIENT")) != NULL) {
-			strlcpy(addr_buf, ssh_info, sizeof addr_buf);
+		if ((env_str = getenv("SSH_CONNECTION")) != NULL
+		 || (env_str = getenv("SSH_CLIENT")) != NULL
+		 || (env_str = getenv("SSH2_CLIENT")) != NULL
+		 || (env_str = getenv("REMOTE_HOST")) != NULL) {
+			char *p;
+			strlcpy(addr_buf, env_str, sizeof addr_buf);
 			/* Truncate the value to just the IP address. */
 			if ((p = strchr(addr_buf, ' ')) != NULL)
 				*p = '\0';

--- a/configure.ac
+++ b/configure.ac
@@ -39,6 +39,7 @@ AC_PROG_CC
 AC_PROG_CPP
 AC_PROG_EGREP
 AC_PROG_INSTALL
+AC_PROG_MKDIR_P
 AC_PROG_CC_STDC
 AC_SUBST(SHELL)

@@ -954,6 +955,9 @@ AC_SUBST(BUILD_POPT)
 AC_SUBST(BUILD_ZLIB)
 AC_SUBST(MAKE_MAN)

+AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
+AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
+
 AC_CHECK_FUNCS(_acl __acl _facl __facl)
 #################################################
 # check for ACL support

--- a/packaging/lsb/rsync.spec
+++ b/packaging/lsb/rsync.spec
 Summary: A fast, versatile, remote (and local) file-copying tool
 Name: rsync
-Version: 3.0.3
+Version: 3.1.0
 %define fullversion %{version}
 Release: 1
 %define srcdir src
@@ -13,6 +13,14 @@ Prefix: %{_prefix}
 BuildRoot: /var/tmp/%{name}-root
 License: GPL

+%package ssl-client
+Summary: Provides rsync-ssl
+Requires: stunnel >= 4
+
+%package ssl-daemon
+Summary: An stunnel config file to support ssl rsync daemon connections.
+Requires: stunnel >= 4
+
 %description
 Rsync is a fast and extraordinarily versatile file copying tool.  It can
 copy locally, to/from another host over any remote shell, or to/from a
@@ -24,12 +32,22 @@ differences between the source files and the existing files in the
 destination.  Rsync is widely used for backups and mirroring and as an
 improved copy command for everyday use.

+%description ssl-client
+Provides the rsync-ssl script that makes use of stunnel 4 to open an ssl
+connection to an rsync daemon (on port 874).  This setup does NOT require
+any local stunnel daemon to be running to connect to the remote ssl rsyncd.
+
+%description ssl-daemon
+Provides a config file for stunnel that will (if you start your stunnel
+service) cause stunnel to listen for ssl rsync-daemon connections and run
+"rsync --daemon" to handle them.
+
 %prep
 # Choose one -- setup source only, or setup source + rsync-patches:
 %setup -q -n rsync-%{fullversion}
 #%setup -q -b1 -n rsync-%{fullversion}

-# If you you used "%setup -q -b1", choose the patches you wish to apply:
+# If you you used "%setup -q -b1 ...", choose the patches you wish to apply:
 #patch -p1 <patches/acls.diff
 #patch -p1 <patches/xattrs.diff
 #patch -p1 <patches/remote-option.diff
@@ -47,13 +65,11 @@ make
 %install
 rm -rf $RPM_BUILD_ROOT

-%makeinstall
+make install install-ssl-client install-ssl-daemon

-mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d
+mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d $RPM_BUILD_ROOT/etc/rsync-ssl/certs
 install -m 644 packaging/lsb/rsync.xinetd $RPM_BUILD_ROOT/etc/xinetd.d/rsync

-#install -p -m 755 support/rsyncdb $RPM_BUILD_ROOT/usr/bin/rsyncdb
-
 %clean
 rm -rf $RPM_BUILD_ROOT

@@ -61,10 +77,18 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root)
 %doc COPYING NEWS OLDNEWS README support/ tech_report.tex
 %config(noreplace) /etc/xinetd.d/rsync
-%{_prefix}/bin/rsync*
+%{_prefix}/bin/rsync
 %{_mandir}/man1/rsync.1*
 %{_mandir}/man5/rsyncd.conf.5*

+%files ssl-client
+%{_prefix}/bin/rsync-ssl
+%{_prefix}/bin/stunnel-rsync
+
+%files ssl-daemon
+%config(noreplace) /etc/stunnel/rsyncd.conf
+%dir /etc/rsync-ssl/certs
+
 %changelog
 * Sun Jun 29 2008 Wayne Davison <wayned@samba.org>
 Released 3.0.3.

--- a/rsync-ssl.in
+++ b/rsync-ssl.in
+#!/bin/bash
+# This script supports using stunnel to secure an rsync daemon connection.
+# Note that this requires at least version 4.x of stunnel.
+case "$@" in
+*rsync://*) ;;
+*::*) ;;
+*)
+    echo "You must use rsync-ssl with a daemon-style hostname." 0>&1
+    exit 1
+    ;;
+esac
+exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}"
--- a/stunnel-rsync.in
+++ b/stunnel-rsync.in
+#!/bin/bash
+# This must be called as:
+#
+#    stunnel-rsync HOSTNAME rsync --server --daemon .
+#
+# ... which is typically done via the rsync-ssl script, which results in something like this:
+#
+#    rsync --rsh=stunnel-rsync -aiv HOSTNAME::module ...
+#
+# This SSL setup based on the files by:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that this requires at least version 4.x of stunnel.
+
+# The current environment can override using the RSYNC_SSL_* values:
+if [ x"$RSYNC_SSL_CERT" = x ]; then
+    cert=""
+else
+    cert="cert = $RSYNC_SSL_CERT"
+fi
+if [ x"$RSYNC_SSL_CA_CERT" ]; then
+    cafile=""
+    verify=0
+else
+    cafile="CAfile = $RSYNC_SSL_CA_CERT"
+    verify=3
+fi
+port=${RSYNC_SSL_PORT:-874}
+
+# If the user specified USER@HOSTNAME::module, then rsync passes us
+# the -l USER option too, so we must be prepared to ignore it.
+if [ x"$1" = x"-l" ]; then
+    shift 2
+fi
+
+hostname=$1
+shift
+
+if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then
+    echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2
+    exit 1
+fi
+
+# devzero@web.de came up with this no-tmpfile calling syntax:
+@stunnel4@ -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$cert
+$cafile
+EOF
--- a/stunnel-rsyncd.conf.in
+++ b/stunnel-rsyncd.conf.in
+# This config for stunnel will start up rsync for an incoming ssl connection.
+foreground = no
+#output = /var/log/stunnel-rsyncd.log
+pid = /var/run/stunnel-rsyncd.pid
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+compression = rle
+# This must be root for rsync to use chroot -- rsync will drop permissions:
+setuid = root
+setgid = root
+
+[rsync]
+accept = 874
+# You can set the cert to a combo *.pem file and omit the key, if you like.
+cert = /etc/rsync-ssl/certs/server.crt
+key  = /etc/rsync-ssl/certs/server.key
+client = no
+
+# To allow anyone to try an ssl connection, use this:
+verify = 0
+CAfile = /etc/ssl/ca-bundle.pem
+
+# To allow only cert-authorized clients, use something like this instead of the above:
+#verify = 3
+#CAfile = /etc/rsync-ssl/certs/allowed-clients.cert.pem
+
+exec = @bindir@/rsync
+# You can either share the same config as a normal daemon, or specify a separate config:
+execargs = rsync --server --daemon
+#execargs = rsync --server --daemon --config=/etc/rsync-ssl/rsyncd.conf