Skip to content

Commit 2a87d78

Browse files
committed
Change the rsync-ssl helper script
The new rsh-ssl-rsync helper script (replacing stunnel-rsync) supports openssl in addition to stunnel. The RSYNC_SSL_TYPE environment variable can be set to specify which type of connection to use, and the first arg to rsync-ssl can be --type=stunnel or --type=openssl to override the env var or the default of "stunnel". The helper script now looks for stunnel4 or stunnel on the PATH at runtime instead of having configure look for it at compile time.
1 parent 3ba4db7 commit 2a87d78

8 files changed

+132
-76
lines changed

.gitignore

-1
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@ aclocal.m4
2525
/gmon.out
2626
/rsync
2727
/rsync-ssl
28-
/stunnel-rsync
2928
/stunnel-rsyncd.conf
3029
/shconfig
3130
/testdir

Makefile.in

+4-8
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ CHECK_OBJS=tls.o testrun.o getgroups.o getfsdev.o t_stub.o t_unsafe.o trimslash.
6363
$(CC) -I. -I$(srcdir) $(CFLAGS) $(CPPFLAGS) -c $< @CC_SHOBJ_FLAG@
6464
@OBJ_RESTORE@
6565

66-
all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsync stunnel-rsyncd.conf @MAKE_MAN@
66+
all: Makefile rsync$(EXEEXT) rsync-ssl stunnel-rsyncd.conf @MAKE_MAN@
6767

6868
install: all
6969
-${MKDIR_P} ${DESTDIR}${bindir}
@@ -73,10 +73,10 @@ install: all
7373
if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi
7474
if test -f rsyncd.conf.5; then ${INSTALLMAN} -m 644 rsyncd.conf.5 ${DESTDIR}${mandir}/man5; fi
7575

76-
install-ssl-client: rsync-ssl stunnel-rsync
76+
install-ssl-client: rsync-ssl
7777
-${MKDIR_P} ${DESTDIR}${bindir}
7878
${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir}
79-
${INSTALLCMD} -m 755 stunnel-rsync ${DESTDIR}${bindir}
79+
${INSTALLCMD} -m 755 rsh-ssl-rsync ${DESTDIR}${bindir}
8080

8181
install-ssl-daemon: stunnel-rsyncd.conf
8282
-${MKDIR_P} ${DESTDIR}/etc/stunnel
@@ -198,10 +198,6 @@ rsync-ssl: $(srcdir)/rsync-ssl.in Makefile
198198
sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/rsync-ssl.in >rsync-ssl
199199
@chmod +x rsync-ssl
200200

201-
stunnel-rsync: $(srcdir)/stunnel-rsync.in Makefile
202-
sed 's;\@stunnel4\@;$(stunnel4);g' <$(srcdir)/stunnel-rsync.in >stunnel-rsync
203-
@chmod +x stunnel-rsync
204-
205201
stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile
206202
sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf
207203

@@ -239,7 +235,7 @@ cleantests:
239235
# the source directory.
240236
distclean: clean
241237
rm -f Makefile config.h config.status
242-
rm -f rsync-ssl stunnel-rsync stunnel-rsyncd.conf
238+
rm -f rsync-ssl stunnel-rsyncd.conf
243239
rm -f lib/dummy popt/dummy zlib/dummy
244240
rm -f $(srcdir)/Makefile $(srcdir)/config.h $(srcdir)/config.status
245241
rm -f $(srcdir)/lib/dummy $(srcdir)/popt/dummy $(srcdir)/zlib/dummy

configure.ac

-3
Original file line numberDiff line numberDiff line change
@@ -974,9 +974,6 @@ AC_SUBST(BUILD_POPT)
974974
AC_SUBST(BUILD_ZLIB)
975975
AC_SUBST(MAKE_MAN)
976976

977-
AC_PATH_PROG([STUNNEL], [stunnel], [stunnel], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
978-
AC_PATH_PROG([STUNNEL4], [stunnel4], [$STUNNEL], [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR/sbin])
979-
980977
AC_CHECK_FUNCS(_acl __acl _facl __facl)
981978
#################################################
982979
# check for ACL support

packaging/lsb/rsync.spec

+1-1
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ rm -rf $RPM_BUILD_ROOT
8484

8585
%files ssl-client
8686
%{_prefix}/bin/rsync-ssl
87-
%{_prefix}/bin/stunnel-rsync
87+
%{_prefix}/bin/rsh-ssl-rsync
8888

8989
%files ssl-daemon
9090
%config(noreplace) /etc/stunnel/rsyncd.conf

rsh-ssl-rsync

+113
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
#!/bin/bash
2+
# This must be called as (note the trailing dot):
3+
#
4+
# rsh-ssl-rsync HOSTNAME rsync --server --daemon .
5+
#
6+
# ... which is typically done via the rsync-ssl script, which results in something like this:
7+
#
8+
# rsync --rsh=rsh-ssl-rsync -aiv HOSTNAME::module [ARGS]
9+
#
10+
# This SSL setup based on the files by: http://dozzie.jarowit.net/trac/wiki/RsyncSSL
11+
# Note that an stunnel connection requires at least version 4.x of stunnel.
12+
13+
# The environment can override our defaults using RSYNC_SSL_* variables
14+
15+
if [[ -z "$RSYNC_SSL_TYPE" ]]; then
16+
RSYNC_SSL_TYPE=stunnel
17+
fi
18+
19+
case "$RSYNC_SSL_TYPE" in
20+
stunnel)
21+
if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
22+
IFS_SAVE="$IFS"
23+
IFS=:
24+
for prog in stunnel4 stunnel; do
25+
for dir in $PATH; do
26+
[[ -z "$dir" ]] && dir=.
27+
if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
28+
RSYNC_SSL_STUNNEL="$dir/$prog"
29+
break 2
30+
fi
31+
done
32+
done
33+
IFS="$IFS_SAVE"
34+
fi
35+
if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
36+
echo "Failed to find stunnel on your path." 1>&2
37+
echo "Maybe export RSYNC_SSL_STUNNEL=/path or RSYNC_SSL_TYPE=openssl." 1>&2
38+
exit 1
39+
fi
40+
optsep=' = '
41+
;;
42+
openssl)
43+
optsep=' '
44+
;;
45+
*)
46+
echo "The RSYNC_SSL_TYPE is not set to a known type: $RSYNC_SSL_TYPE" 1>&2
47+
exit 1
48+
;;
49+
esac
50+
51+
if [[ -z "$RSYNC_SSL_CERT" ]]; then
52+
certopt=""
53+
else
54+
certopt="cert$optsep$RSYNC_SSL_CERT"
55+
fi
56+
57+
if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
58+
# RSYNC_SSL_CA_CERT unset - default CA set AND verify:
59+
# openssl:
60+
caopt="-verify_return_error -verify 4"
61+
# stunnel:
62+
cafile=""
63+
verify=0
64+
elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
65+
# RSYNC_SSL_CA_CERT set but empty -do NO verifications:
66+
# openssl:
67+
caopt="-verify 1"
68+
# stunnel:
69+
cafile=""
70+
verify=0
71+
else
72+
# RSYNC_SSL_CA_CERT set - use CA AND verify:
73+
# openssl:
74+
caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
75+
# stunnel:
76+
cafile="CAfile = $RSYNC_SSL_CA_CERT"
77+
verify=3
78+
fi
79+
80+
port="${RSYNC_PORT:-0}"
81+
if [[ "$port" == 0 ]]; then
82+
port="${RSYNC_SSL_PORT:-874}"
83+
fi
84+
85+
# If the user specified USER@HOSTNAME::module, then rsync passes us
86+
# the -l USER option too, so we must be prepared to ignore it.
87+
if [[ "$1" == "-l" ]]; then
88+
shift 2
89+
fi
90+
91+
hostname="$1"
92+
shift
93+
94+
if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
95+
echo "Usage: rsync-ssl-helper HOSTNAME rsync --server --daemon ." 1>&2
96+
exit 1
97+
fi
98+
99+
if [[ $RSYNC_SSL_TYPE == openssl ]]; then
100+
exec openssl s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
101+
else
102+
# devzero@web.de came up with this no-tmpfile calling syntax:
103+
exec stunnel -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
104+
foreground = yes
105+
debug = crit
106+
connect = $hostname:$port
107+
client = yes
108+
TIMEOUTclose = 0
109+
verify = $verify
110+
$certopt
111+
$cafile
112+
EOF
113+
fi

rsync-ssl.in

+12-4
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,20 @@
11
#!/bin/bash
2-
# This script supports using stunnel to secure an rsync daemon connection.
3-
# Note that this requires at least version 4.x of stunnel.
2+
# This script supports using stunnel or openssl to secure an rsync daemon connection.
3+
# The first option can be --type=stunnel or --type=openssl to choose your connection
4+
# type (overriding any $RSYNC_SSL_TYPE default value).
5+
6+
if [[ "$1" == --type=* ]]; then
7+
export RSYNC_SSL_TYPE="${1/--type=/}"
8+
shift
9+
fi
10+
411
case "$@" in
512
*rsync://*) ;;
613
*::*) ;;
714
*)
8-
echo "You must use rsync-ssl with a daemon-style hostname." 0>&1
15+
echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
916
exit 1
1017
;;
1118
esac
12-
exec @bindir@/rsync --rsh=@bindir@/stunnel-rsync "${@}"
19+
20+
exec @bindir@/rsync --rsh=@bindir@/rsh-ssl-rsync "${@}"

stunnel-rsync.in

-57
This file was deleted.

stunnel-rsyncd.conf.in

+2-2
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ foreground = no
44
pid = /var/run/stunnel-rsyncd.pid
55
socket = l:TCP_NODELAY=1
66
socket = r:TCP_NODELAY=1
7-
compression = rle
7+
#compression = rle
88
# This must be root for rsync to use chroot -- rsync will drop permissions:
99
setuid = root
1010
setgid = root
@@ -18,7 +18,7 @@ client = no
1818

1919
# To allow anyone to try an ssl connection, use this:
2020
verify = 0
21-
CAfile = /etc/ssl/ca-bundle.pem
21+
CAfile = /etc/ssl/certs/ca-certificates.crt
2222

2323
# To allow only cert-authorized clients, use something like this instead of the above:
2424
#verify = 3

0 commit comments

Comments
 (0)