.PHONY: install
install: all
-${MKDIR_P} ${DESTDIR}${bindir}
- -${MKDIR_P} ${DESTDIR}${libdir}
${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync$(EXEEXT) ${DESTDIR}${bindir}
${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir}
- ${INSTALLCMD} -m 755 ssl-rsh ${DESTDIR}${libdir}
-${MKDIR_P} ${DESTDIR}${mandir}/man1
-${MKDIR_P} ${DESTDIR}${mandir}/man5
if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
- Added the `--write-devices` option based on the long-standing patch.
- - Added openssl support to the rsync-ssl script via a (lib installed) helper
- script, ssl-rsh. Both bash scripts are now installed by default, removing
- the install-ssl-client make target. Rsync was also enhanced to set the
- `RSYNC_PORT` environment variable when running a daemon-over-rsh script. Its
- value is the user-specified port number (set via `--port` or an rsync://
- URL) or 0 if the user didn't override the port.
+ - Added openssl support to the rsync-ssl script, which is now installed by
+ default. This script was unified with the stunnel-rsync helper script to
+ simplify packaging.
+
+ - Rsync was enhanced to set the `RSYNC_PORT` environment variable when running
+ a daemon-over-rsh script. Its value is the user-specified port number (set
+ via `--port` or an rsync:// URL) or 0 if the user didn't override the port.
- Added the `haproxy header` daemon parameter that allows your rsyncd to know
the real remote IP when it is being proxied.
%config(noreplace) /etc/xinetd.d/rsync
%{_prefix}/bin/rsync
%{_prefix}/bin/rsync-ssl
-%{_prefix}/lib/rsync/ssl-rsh
%{_mandir}/man1/rsync.1*
%{_mandir}/man1/rsync-ssl.1*
%{_mandir}/man5/rsyncd.conf.5*
else
files='[cap]*'
fi
- rsync -ipe ./ssl-rsh rsync://download.samba.org/rsyncftp/generated-files/"$files" .
+ ./rsync-ssl -ip rsync://download.samba.org/rsyncftp/generated-files/"$files" .
;;
fetchgen)
- rsync -ipe ./ssl-rsh rsync://download.samba.org/rsyncftp/generated-files/'*' .
+ ./rsync-ssl -ip rsync://download.samba.org/rsyncftp/generated-files/'*' .
;;
fetchSRC)
- rsync -ipre ./ssl-rsh --exclude=/.git/ rsync://download.samba.org/ftp/pub/unpacked/rsync/ .
+ ./rsync-ssl -ipr --exclude=/.git/ rsync://download.samba.org/ftp/pub/unpacked/rsync/ .
;;
*)
echo "Unknown action: $action"
#!/bin/bash
+
# This script supports using stunnel or openssl to secure an rsync daemon connection.
-# The first option can be --type=stunnel or --type=openssl to choose your connection
-# type (overriding any $RSYNC_SSL_TYPE default value).
-if [[ "$1" == --type=* ]]; then
- export RSYNC_SSL_TYPE="${1/--type=/}"
+# By default this script takes rsync args and hands them off to the actual
+# rsync command with an --rsh option that makes it open an SSL connection to an
+# rsync daemon. See the rsync-ssl manpage for usage details and env variables.
+
+# When the first arg is --HELPER, we are being used by rsync as an --rsh helper
+# script, and the args are (note the trailing dot):
+#
+# rsync-ssl --HELPER HOSTNAME rsync --server --daemon .
+#
+# --HELPER is not a user-facing option, so it is not documented in the manpage.
+
+# The first SSL setup was based on: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that an stunnel connection requires at least version 4.x of stunnel.
+
+function rsync_ssl_run {
+ case "$*" in
+ *rsync://*) ;;
+ *::*) ;;
+ *)
+ echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
+ exit 1
+ ;;
+ esac
+
+ exec rsync --rsh="$0 --HELPER" "${@}"
+}
+
+function rsync_ssl_helper {
+ if [[ -z "$RSYNC_SSL_TYPE" ]]; then
+ found=`path_search stunnel4 stunnel openssl` || exit 1
+ if [[ "$found" == */openssl ]]; then
+ RSYNC_SSL_TYPE=openssl
+ RSYNC_SSL_OPENSSL="$found"
+ else
+ RSYNC_SSL_TYPE=stunnel
+ RSYNC_SSL_STUNNEL="$found"
+ fi
+ fi
+
+ case "$RSYNC_SSL_TYPE" in
+ openssl)
+ if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
+ RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
+ fi
+ optsep=' '
+ ;;
+ stunnel)
+ if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+ RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
+ fi
+ optsep=' = '
+ ;;
+ *)
+ echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
+ exit 1
+ ;;
+ esac
+
+ if [[ -z "$RSYNC_SSL_CERT" ]]; then
+ certopt=""
+ else
+ certopt="cert$optsep$RSYNC_SSL_CERT"
+ fi
+
+ if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
+ # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
+ # openssl:
+ caopt="-verify_return_error -verify 4"
+ # stunnel:
+ cafile=""
+ verify=0
+ elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
+ # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
+ # openssl:
+ caopt="-verify 1"
+ # stunnel:
+ cafile=""
+ verify=0
+ else
+ # RSYNC_SSL_CA_CERT set - use CA AND verify:
+ # openssl:
+ caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+ # stunnel:
+ cafile="CAfile = $RSYNC_SSL_CA_CERT"
+ verify=3
+ fi
+
+ port="${RSYNC_PORT:-0}"
+ if [[ "$port" == 0 ]]; then
+ port="${RSYNC_SSL_PORT:-874}"
+ fi
+
+ # If the user specified USER@HOSTNAME::module, then rsync passes us
+ # the -l USER option too, so we must be prepared to ignore it.
+ if [[ "$1" == "-l" ]]; then
+ shift 2
+ fi
+
+ hostname="$1"
shift
-fi
-case "$@" in
-*rsync://*) ;;
-*::*) ;;
-*)
- echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
+ if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
+ echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2
+ exit 1
+ fi
+
+ if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+ else
+ # devzero@web.de came up with this no-tmpfile calling syntax:
+ exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$certopt
+$cafile
+EOF
+ fi
+}
+
+function path_search {
+ IFS_SAVE="$IFS"
+ IFS=:
+ for prog in "${@}"; do
+ for dir in $PATH; do
+ [[ -z "$dir" ]] && dir=.
+ if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
+ echo "$dir/$prog"
+ IFS="$IFS_SAVE"
+ return 0
+ fi
+ done
+ done
+
+ IFS="$IFS_SAVE"
+ echo "Failed to find on your path: $*" 1>&2
+ echo "See the rsync-ssl manpage for configuration assistance." 1>&2
+ return 1
+}
+
+if [[ "$#" == 0 ]]; then
+ echo "Usage: rsync-ssl [--type=openssl|stunnel] RSYNC_OPTION [...]" 1>&2
exit 1
- ;;
-esac
+fi
+
+if [[ "$1" = --help || "$1" = -h ]]; then
+ exec rsync --help
+fi
-mydir="${0%/*}"
-libdir="$mydir/../lib/rsync"
+if [[ "$1" == --HELPER ]]; then
+ shift
+ rsync_ssl_helper "${@}"
+fi
+
+if [[ "$1" == --type=* ]]; then
+ export RSYNC_SSL_TYPE="${1/--type=/}"
+ shift
+fi
-exec "$mydir/rsync" --rsh="$libdir/ssl-rsh" "${@}"
+rsync_ssl_run "${@}"
Note that the stunnel connection type requires at least version 4 of stunnel,
which should be the case on modern systems.
-This script requires that a helper script named **ssl-rsh** be installed the
-@LIBDIR@ dir so that rsync can use it as its remote-shell command.
-
# ENVIRONMENT VARIABLES
The ssl helper scripts are affected by the following environment variables:
> rsync-ssl --type=openssl -aiv example.com::src/ dest
-# FILES
-
-@LIBDIR@/ssl-rsh
-
# SEE ALSO
**rsync**(1), **rsyncd.conf**(5)
+++ /dev/null
-#!/bin/bash
-# This must be called as (note the trailing dot):
-#
-# ssl-rsh HOSTNAME rsync --server --daemon .
-#
-# ... which is typically done via the rsync-ssl script, which results in something like this:
-#
-# rsync --rsh=/usr/lib/rsync/ssl-rsh -aiv HOSTNAME::module [ARGS]
-#
-# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
-# Note that an stunnel connection requires at least version 4.x of stunnel.
-
-# The environment can override our defaults using RSYNC_SSL_* variables. See `man rsync-ssl`.
-
-function path_search {
- IFS_SAVE="$IFS"
- IFS=:
- for prog in "${@}"; do
- for dir in $PATH; do
- [[ -z "$dir" ]] && dir=.
- if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
- echo "$dir/$prog"
- IFS="$IFS_SAVE"
- return 0
- fi
- done
- done
-
- IFS="$IFS_SAVE"
- echo "Failed to find on your path: $*" 1>&2
- echo "See the rsync-ssl manpage for configuration assistance." 1>&2
- return 1
-}
-
-if [[ -z "$RSYNC_SSL_TYPE" ]]; then
- found=`path_search stunnel4 stunnel openssl` || exit 1
- if [[ "$found" == */openssl ]]; then
- RSYNC_SSL_TYPE=openssl
- RSYNC_SSL_OPENSSL="$found"
- else
- RSYNC_SSL_TYPE=stunnel
- RSYNC_SSL_STUNNEL="$found"
- fi
-fi
-
-case "$RSYNC_SSL_TYPE" in
- openssl)
- if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
- RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
- fi
- optsep=' '
- ;;
- stunnel)
- if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
- RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
- fi
- optsep=' = '
- ;;
- *)
- echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
- exit 1
- ;;
-esac
-
-if [[ -z "$RSYNC_SSL_CERT" ]]; then
- certopt=""
-else
- certopt="cert$optsep$RSYNC_SSL_CERT"
-fi
-
-if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
- # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
- # openssl:
- caopt="-verify_return_error -verify 4"
- # stunnel:
- cafile=""
- verify=0
-elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
- # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
- # openssl:
- caopt="-verify 1"
- # stunnel:
- cafile=""
- verify=0
-else
- # RSYNC_SSL_CA_CERT set - use CA AND verify:
- # openssl:
- caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
- # stunnel:
- cafile="CAfile = $RSYNC_SSL_CA_CERT"
- verify=3
-fi
-
-port="${RSYNC_PORT:-0}"
-if [[ "$port" == 0 ]]; then
- port="${RSYNC_SSL_PORT:-874}"
-fi
-
-# If the user specified USER@HOSTNAME::module, then rsync passes us
-# the -l USER option too, so we must be prepared to ignore it.
-if [[ "$1" == "-l" ]]; then
- shift 2
-fi
-
-hostname="$1"
-shift
-
-if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
- echo "Usage: ssl-rsh HOSTNAME rsync --server --daemon ." 1>&2
- exit 1
-fi
-
-if [[ $RSYNC_SSL_TYPE == openssl ]]; then
- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
-else
- # devzero@web.de came up with this no-tmpfile calling syntax:
- exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
-foreground = yes
-debug = crit
-connect = $hostname:$port
-client = yes
-TIMEOUTclose = 0
-verify = $verify
-$certopt
-$cafile
-EOF
-fi