/getgroups
/gmon.out
/rsync
+/rsync-ssl
+/stunnel-rsync
+/stunnel-rsyncd.conf
/shconfig
/testdir
/tests-dont-exist
prefix=@prefix@
datarootdir=@datarootdir@
exec_prefix=@exec_prefix@
+stunnel4=@STUNNEL4@
bindir=@bindir@
mandir=@mandir@
INSTALLMAN=@INSTALL@
srcdir=@srcdir@
+MKDIR_P=@MKDIR_P@
VPATH=$(srcdir)
SHELL=/bin/sh
$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
@OBJ_RESTORE@
-all: Makefile rsync$(EXEEXT) @MAKE_MAN@
+all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@
install: all
- -mkdir -p ${DESTDIR}${bindir}
+ -${MKDIR_P} ${DESTDIR}${bindir}
${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync$(EXEEXT) ${DESTDIR}${bindir}
- -mkdir -p ${DESTDIR}${mandir}/man1
- -mkdir -p ${DESTDIR}${mandir}/man5
+ -${MKDIR_P} ${DESTDIR}${mandir}/man1
+ -${MKDIR_P} ${DESTDIR}${mandir}/man5
if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi
+install-ssl-client: rsync-ssl stunnel-rsync
+ -${MKDIR_P} ${DESTDIR}${bindir}
+ ${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync-ssl ${DESTDIR}${bindir}
+ ${INSTALLCMD} ${INSTALL_STRIP} -m 755 stunnel-rsync ${DESTDIR}${bindir}
+
+install-ssl-daemon: stunnel-rsyncd.conf
+ -${MKDIR_P} ${DESTDIR}/etc/stunnel
+ ${INSTALLCMD} ${INSTALL_STRIP} -m 644 stunnel-rsyncd.conf ${DESTDIR}/etc/stunnel/rsyncd.conf
+ @if ! ls /etc/rsync-ssl/certs/server.* >/dev/null 2>/dev/null; then \
+ echo "Note that you'll need to install the certificate used by /etc/stunnel/rsyncd.conf"; \
+ fi
+
+install-all: install install-ssl-client install-ssl-daemon
+
install-strip:
$(MAKE) INSTALL_STRIP='-s' install
fi \
fi
+rsync-ssl: $(srcdir)/rsync-ssl.in Makefile
+ sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl
+ @chmod +x rsync-ssl
+
+stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile
+ sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync
+ @chmod +x stunnel-rsync
+
+stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile
+ sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf
+
proto: proto.h-tstamp
proto.h: proto.h-tstamp
# the source directory.
distclean: clean
rm -f Makefile config.h config.status
+ rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf
rm -f lib/dummy popt/dummy zlib/dummy
rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status
rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy
static int initialised;
struct sockaddr_storage ss;
socklen_t length = sizeof ss;
- char *ssh_info, *p;
if (initialised)
return addr_buf;
initialised = 1;
if (am_server) { /* daemon over --rsh mode */
+ char *env_str;
strlcpy(addr_buf, "0.0.0.0", sizeof addr_buf);
- if ((ssh_info = getenv("SSH_CONNECTION")) != NULL
- || (ssh_info = getenv("SSH_CLIENT")) != NULL
- || (ssh_info = getenv("SSH2_CLIENT")) != NULL) {
- strlcpy(addr_buf, ssh_info, sizeof addr_buf);
+ if ((env_str = getenv("SSH_CONNECTION")) != NULL
+ || (env_str = getenv("SSH_CLIENT")) != NULL
+ || (env_str = getenv("SSH2_CLIENT")) != NULL
+ || (env_str = getenv("REMOTE_HOST")) != NULL) {
+ char *p;
+ strlcpy(addr_buf, env_str, sizeof addr_buf);
/* Truncate the value to just the IP address. */
if ((p = strchr(addr_buf, ' ')) != NULL)
*p = '\0';
AC_PROG_CPP
AC_PROG_EGREP
AC_PROG_INSTALL
+AC_PROG_MKDIR_P
AC_PROG_CC_STDC
AC_SUBST(SHELL)
AC_SUBST(BUILD_ZLIB)
AC_SUBST(MAKE_MAN)
+AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
+AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
+
AC_CHECK_FUNCS(_acl __acl _facl __facl)
#################################################
# check for ACL support
Summary: A fast, versatile, remote (and local) file-copying tool
Name: rsync
-Version: 3.0.3
+Version: 3.1.0
%define fullversion %{version}
Release: 1
%define srcdir src
BuildRoot: /var/tmp/%{name}-root
License: GPL
+%package ssl-client
+Summary: Provides rsync-ssl
+Requires: stunnel >= 4
+
+%package ssl-daemon
+Summary: An stunnel config file to support ssl rsync daemon connections.
+Requires: stunnel >= 4
+
%description
Rsync is a fast and extraordinarily versatile file copying tool. It can
copy locally, to/from another host over any remote shell, or to/from a
destination. Rsync is widely used for backups and mirroring and as an
improved copy command for everyday use.
+%description ssl-client
+Provides the rsync-ssl script that makes use of stunnel 4 to open an ssl
+connection to an rsync daemon (on port 874). This setup does NOT require
+any local stunnel daemon to be running to connect to the remote ssl rsyncd.
+
+%description ssl-daemon
+Provides a config file for stunnel that will (if you start your stunnel
+service) cause stunnel to listen for ssl rsync-daemon connections and run
+"rsync --daemon" to handle them.
+
%prep
# Choose one -- setup source only, or setup source + rsync-patches:
%setup -q -n rsync-%{fullversion}
#%setup -q -b1 -n rsync-%{fullversion}
-# If you you used "%setup -q -b1", choose the patches you wish to apply:
+# If you you used "%setup -q -b1 ...", choose the patches you wish to apply:
#patch -p1 <patches/acls.diff
#patch -p1 <patches/xattrs.diff
#patch -p1 <patches/remote-option.diff
%install
rm -rf $RPM_BUILD_ROOT
-%makeinstall
+make install install-ssl-client install-ssl-daemon
-mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d
+mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d $RPM_BUILD_ROOT/etc/rsync-ssl/certs
install -m 644 packaging/lsb/rsync.xinetd $RPM_BUILD_ROOT/etc/xinetd.d/rsync
-#install -p -m 755 support/rsyncdb $RPM_BUILD_ROOT/usr/bin/rsyncdb
-
%clean
rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root)
%doc COPYING NEWS OLDNEWS README support/ tech_report.tex
%config(noreplace) /etc/xinetd.d/rsync
-%{_prefix}/bin/rsync*
+%{_prefix}/bin/rsync
%{_mandir}/man1/rsync.1*
%{_mandir}/man5/rsyncd.conf.5*
+%files ssl-client
+%{_prefix}/bin/rsync-ssl
+%{_prefix}/bin/stunnel-rsync
+
+%files ssl-daemon
+%config(noreplace) /etc/stunnel/rsyncd.conf
+%dir /etc/rsync-ssl/certs
+
%changelog
* Sun Jun 29 2008 Wayne Davison <wayned@samba.org>
Released 3.0.3.
--- /dev/null
+#!/bin/bash
+# This script supports using stunnel to secure an rsync daemon connection.
+# Note that this requires at least version 4.x of stunnel.
+case "$@" in
+*rsync://*) ;;
+*::*) ;;
+*)
+ echo "You must use rsync-ssl with a daemon-style hostname." 0>&1
+ exit 1
+ ;;
+esac
+exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}"
--- /dev/null
+#!/bin/bash
+# This must be called as:
+#
+# stunnel-rsync HOSTNAME rsync --server --daemon .
+#
+# ... which is typically done via the rsync-ssl script, which results in something like this:
+#
+# rsync --rsh=stunnel-rsync -aiv HOSTNAME::module ...
+#
+# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that this requires at least version 4.x of stunnel.
+
+# The current environment can override using the RSYNC_SSL_* values:
+if [ x"$RSYNC_SSL_CERT" = x ]; then
+ cert=""
+else
+ cert="cert = $RSYNC_SSL_CERT"
+fi
+if [ x"$RSYNC_SSL_CA_CERT" ]; then
+ cafile=""
+ verify=0
+else
+ cafile="CAfile = $RSYNC_SSL_CA_CERT"
+ verify=3
+fi
+port=${RSYNC_SSL_PORT:-874}
+
+# If the user specified USER@HOSTNAME::module, then rsync passes us
+# the -l USER option too, so we must be prepared to ignore it.
+if [ x"$1" = x"-l" ]; then
+ shift 2
+fi
+
+hostname=$1
+shift
+
+if [ x"$hostname" = x -o x"$1" != x"rsync" -o x"$2" != x"--server" -o x"$3" != x"--daemon" ]; then
+ echo "Usage: stunnel-rsync HOSTNAME rsync --server --daemon ." 1>&2
+ exit 1
+fi
+
+# devzero@web.de came up with this no-tmpfile calling syntax:
+@stunnel4@ -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$cert
+$cafile
+EOF
--- /dev/null
+# This config for stunnel will start up rsync for an incoming ssl connection.
+foreground = no
+#output = /var/log/stunnel-rsyncd.log
+pid = /var/run/stunnel-rsyncd.pid
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+compression = rle
+# This must be root for rsync to use chroot -- rsync will drop permissions:
+setuid = root
+setgid = root
+
+[rsync]
+accept = 874
+# You can set the cert to a combo *.pem file and omit the key, if you like.
+cert = /etc/rsync-ssl/certs/server.crt
+key = /etc/rsync-ssl/certs/server.key
+client = no
+
+# To allow anyone to try an ssl connection, use this:
+verify = 0
+CAfile = /etc/ssl/ca-bundle.pem
+
+# To allow only cert-authorized clients, use something like this instead of the above:
+#verify = 3
+#CAfile = /etc/rsync-ssl/certs/allowed-clients.cert.pem
+
+exec = @bindir@/rsync
+# You can either share the same config as a normal daemon, or specify a separate config:
+execargs = rsync --server --daemon
+#execargs = rsync --server --daemon --config=/etc/rsync-ssl/rsyncd.conf