Annotation of embedaddon/rsync/rsyncd.conf.5, revision 1.1.1.2
1.1.1.2 ! misho 1: .TH "rsyncd.conf" "5" "28 Sep 2013" "" ""
1.1 misho 2: .SH "NAME"
3: rsyncd.conf \- configuration file for rsync in daemon mode
4: .SH "SYNOPSIS"
5:
6: .PP
7: rsyncd.conf
8: .PP
9: .SH "DESCRIPTION"
10:
11: .PP
12: The rsyncd.conf file is the runtime configuration file for rsync when
13: run as an rsync daemon.
14: .PP
15: The rsyncd.conf file controls authentication, access, logging and
16: available modules.
17: .PP
18: .SH "FILE FORMAT"
19:
20: .PP
21: The file consists of modules and parameters. A module begins with the
22: name of the module in square brackets and continues until the next
23: module begins. Modules contain parameters of the form \(dq\&name = value\(dq\&.
24: .PP
25: The file is line\-based \-\- that is, each newline\-terminated line represents
26: either a comment, a module name or a parameter.
27: .PP
28: Only the first equals sign in a parameter is significant. Whitespace before
29: or after the first equals sign is discarded. Leading, trailing and internal
30: whitespace in module and parameter names is irrelevant. Leading and
31: trailing whitespace in a parameter value is discarded. Internal whitespace
32: within a parameter value is retained verbatim.
33: .PP
1.1.1.2 ! misho 34: Any line \fBbeginning\fP with a hash (#) is ignored, as are lines containing
! 35: only whitespace. (If a hash occurs after anything other than leading
! 36: whitespace, it is considered a part of the line\(cq\&s content.)
1.1 misho 37: .PP
38: Any line ending in a \e is \(dq\&continued\(dq\& on the next line in the
39: customary UNIX fashion.
40: .PP
41: The values following the equals sign in parameters are all either a string
42: (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or
43: true/false. Case is not significant in boolean values, but is preserved
44: in string values.
45: .PP
46: .SH "LAUNCHING THE RSYNC DAEMON"
47:
48: .PP
49: The rsync daemon is launched by specifying the \fB\-\-daemon\fP option to
50: rsync.
51: .PP
52: The daemon must run with root privileges if you wish to use chroot, to
53: bind to a port numbered under 1024 (as is the default 873), or to set
54: file ownership. Otherwise, it must just have permission to read and
55: write the appropriate data, log, and lock files.
56: .PP
57: You can launch it either via inetd, as a stand\-alone daemon, or from
58: an rsync client via a remote shell. If run as a stand\-alone daemon then
59: just run the command \(dq\&\fBrsync \-\-daemon\fP\(dq\& from a suitable startup script.
60: .PP
61: When run via inetd you should add a line like this to /etc/services:
62: .PP
63: .nf
64: rsync 873/tcp
65: .fi
66:
67: .PP
68: and a single line something like this to /etc/inetd.conf:
69: .PP
70: .nf
71: rsync stream tcp nowait root /usr/bin/rsync rsyncd \-\-daemon
72: .fi
73:
74: .PP
75: Replace \(dq\&/usr/bin/rsync\(dq\& with the path to where you have rsync installed on
76: your system. You will then need to send inetd a HUP signal to tell it to
77: reread its config file.
78: .PP
79: Note that you should \fBnot\fP send the rsync daemon a HUP signal to force
80: it to reread the \f(CWrsyncd.conf\fP file. The file is re\-read on each client
81: connection.
82: .PP
83: .SH "GLOBAL PARAMETERS"
84:
85: .PP
86: The first parameters in the file (before a [module] header) are the
87: global parameters.
88: .PP
89: You may also include any module parameters in the global part of the
90: config file in which case the supplied value will override the
91: default for that parameter.
92: .PP
1.1.1.2 ! misho 93: You may use references to environment variables in the values of parameters.
! 94: String parameters will have %VAR% references expanded as late as possible (when
! 95: the string is used in the program), allowing for the use of variables that
! 96: rsync sets at connection time, such as RSYNC_USER_NAME. Non\-string parameters
! 97: (such as true/false settings) are expanded when read from the config file. If
! 98: a variable does not exist in the environment, or if a sequence of characters is
! 99: not a valid reference (such as an un\-paired percent sign), the raw characters
! 100: are passed through unchanged. This helps with backward compatibility and
! 101: safety (e.g. expanding a non\-existent %VAR% to an empty string in a path could
! 102: result in a very unsafe path). The safest way to insert a literal % into a
! 103: value is to use %%.
! 104: .PP
1.1 misho 105: .IP "\fBmotd file\fP"
106: This parameter allows you to specify a
107: \(dq\&message of the day\(dq\& to display to clients on each connect. This
108: usually contains site information and any legal notices. The default
109: is no motd file.
1.1.1.2 ! misho 110: This can be overridden by the \fB\-\-dparam=motdfile=FILE\fP
! 111: command\-line option when starting the daemon.
1.1 misho 112: .IP
113: .IP "\fBpid file\fP"
114: This parameter tells the rsync daemon to write
115: its process ID to that file. If the file already exists, the rsync
116: daemon will abort rather than overwrite the file.
1.1.1.2 ! misho 117: This can be overridden by the \fB\-\-dparam=pidfile=FILE\fP
! 118: command\-line option when starting the daemon.
1.1 misho 119: .IP
120: .IP "\fBport\fP"
121: You can override the default port the daemon will listen on
122: by specifying this value (defaults to 873). This is ignored if the daemon
123: is being run by inetd, and is superseded by the \fB\-\-port\fP command\-line option.
124: .IP
125: .IP "\fBaddress\fP"
126: You can override the default IP address the daemon
127: will listen on by specifying this value. This is ignored if the daemon is
128: being run by inetd, and is superseded by the \fB\-\-address\fP command\-line option.
129: .IP
130: .IP "\fBsocket options\fP"
131: This parameter can provide endless fun for people
132: who like to tune their systems to the utmost degree. You can set all
133: sorts of socket options which may make transfers faster (or
134: slower!). Read the man page for the
135: \f(CWsetsockopt()\fP
136: system call for
137: details on some of the options you may be able to set. By default no
138: special socket options are set. These settings can also be specified
139: via the \fB\-\-sockopts\fP command\-line option.
140: .IP
1.1.1.2 ! misho 141: .IP "\fBlisten backlog\fP"
! 142: You can override the default backlog value when the
! 143: daemon listens for connections. It defaults to 5.
! 144: .IP
1.1 misho 145: .SH "MODULE PARAMETERS"
146:
147: .PP
148: After the global parameters you should define a number of modules, each
149: module exports a directory tree as a symbolic name. Modules are
150: exported by specifying a module name in square brackets [module]
151: followed by the parameters for that module.
152: The module name cannot contain a slash or a closing square bracket. If the
153: name contains whitespace, each internal sequence of whitespace will be
154: changed into a single space, while leading or trailing whitespace will be
155: discarded.
156: .PP
1.1.1.2 ! misho 157: As with GLOBAL PARAMETERS, you may use references to environment variables in
! 158: the values of parameters. See the GLOBAL PARAMETERS section for more details.
! 159: .PP
1.1 misho 160: .IP "\fBcomment\fP"
161: This parameter specifies a description string
162: that is displayed next to the module name when clients obtain a list
163: of available modules. The default is no comment.
164: .IP
165: .IP "\fBpath\fP"
166: This parameter specifies the directory in the daemon\(cq\&s
167: filesystem to make available in this module. You must specify this parameter
168: for each module in \f(CWrsyncd.conf\fP.
169: .IP
1.1.1.2 ! misho 170: You may base the path\(cq\&s value off of an environment variable by surrounding
! 171: the variable name with percent signs. You can even reference a variable
! 172: that is set by rsync when the user connects.
! 173: For example, this would use the authorizing user\(cq\&s name in the path:
! 174: .IP
! 175: .nf
! 176: path = /home/%RSYNC_USER_NAME%
! 177: .fi
! 178:
! 179: .IP
1.1 misho 180: It is fine if the path includes internal spaces \-\- they will be retained
181: verbatim (which means that you shouldn\(cq\&t try to escape them). If your final
182: directory has a trailing space (and this is somehow not something you wish to
183: fix), append a trailing slash to the path to avoid losing the trailing
184: whitespace.
185: .IP
186: .IP "\fBuse chroot\fP"
187: If \(dq\&use chroot\(dq\& is true, the rsync daemon will chroot
188: to the \(dq\&path\(dq\& before starting the file transfer with the client. This has
189: the advantage of extra protection against possible implementation security
190: holes, but it has the disadvantages of requiring super\-user privileges,
191: of not being able to follow symbolic links that are either absolute or outside
192: of the new root path, and of complicating the preservation of users and groups
193: by name (see below).
194: .IP
195: As an additional safety feature, you can specify a dot\-dir in the module\(cq\&s
196: \(dq\&path\(dq\& to indicate the point where the chroot should occur. This allows rsync
197: to run in a chroot with a non\-\(dq\&/\(dq\& path for the top of the transfer hierarchy.
198: Doing this guards against unintended library loading (since those absolute
199: paths will not be inside the transfer hierarchy unless you have used an unwise
200: pathname), and lets you setup libraries for the chroot that are outside of the
201: transfer. For example, specifying \(dq\&/var/rsync/./module1\(dq\& will chroot to the
202: \(dq\&/var/rsync\(dq\& directory and set the inside\-chroot path to \(dq\&/module1\(dq\&. If you
203: had omitted the dot\-dir, the chroot would have used the whole path, and the
204: inside\-chroot path would have been \(dq\&/\(dq\&.
205: .IP
206: When \(dq\&use chroot\(dq\& is false or the inside\-chroot path is not \(dq\&/\(dq\&, rsync will:
207: (1) munge symlinks by
208: default for security reasons (see \(dq\&munge symlinks\(dq\& for a way to turn this
209: off, but only if you trust your users), (2) substitute leading slashes in
210: absolute paths with the module\(cq\&s path (so that options such as
211: \fB\-\-backup\-dir\fP, \fB\-\-compare\-dest\fP, etc. interpret an absolute path as
212: rooted in the module\(cq\&s \(dq\&path\(dq\& dir), and (3) trim \(dq\&..\(dq\& path elements from
213: args if rsync believes they would escape the module hierarchy.
214: The default for \(dq\&use chroot\(dq\& is true, and is the safer choice (especially
215: if the module is not read\-only).
216: .IP
217: When this parameter is enabled, rsync will not attempt to map users and groups
218: by name (by default), but instead copy IDs as though \fB\-\-numeric\-ids\fP had
219: been specified. In order to enable name\-mapping, rsync needs to be able to
220: use the standard library functions for looking up names and IDs (i.e.
221: \f(CWgetpwuid()\fP
222: ,
223: \f(CWgetgrgid()\fP
224: ,
225: \f(CWgetpwname()\fP
226: , and
227: \f(CWgetgrnam()\fP
228: ).
229: This means the rsync
230: process in the chroot hierarchy will need to have access to the resources
231: used by these library functions (traditionally /etc/passwd and
232: /etc/group, but perhaps additional dynamic libraries as well).
233: .IP
234: If you copy the necessary resources into the module\(cq\&s chroot area, you
235: should protect them through your OS\(cq\&s normal user/group or ACL settings (to
236: prevent the rsync module\(cq\&s user from being able to change them), and then
237: hide them from the user\(cq\&s view via \(dq\&exclude\(dq\& (see how in the discussion of
238: that parameter). At that point it will be safe to enable the mapping of users
239: and groups by name using the \(dq\&numeric ids\(dq\& daemon parameter (see below).
240: .IP
241: Note also that you are free to setup custom user/group information in the
242: chroot area that is different from your normal system. For example, you
243: could abbreviate the list of users and groups.
244: .IP
245: .IP "\fBnumeric ids\fP"
246: Enabling this parameter disables the mapping
247: of users and groups by name for the current daemon module. This prevents
248: the daemon from trying to load any user/group\-related files or libraries.
249: This enabling makes the transfer behave as if the client had passed
250: the \fB\-\-numeric\-ids\fP command\-line option. By default, this parameter is
251: enabled for chroot modules and disabled for non\-chroot modules.
252: .IP
253: A chroot\-enabled module should not have this parameter enabled unless you\(cq\&ve
254: taken steps to ensure that the module has the necessary resources it needs
255: to translate names, and that it is not possible for a user to change those
256: resources.
257: .IP
258: .IP "\fBmunge symlinks\fP"
259: This parameter tells rsync to modify
1.1.1.2 ! misho 260: all symlinks in the same way as the (non\-daemon\-affecting)
! 261: \fB\-\-munge\-links\fP command\-line option (using a method described below).
! 262: This should help protect your files from user trickery when
1.1 misho 263: your daemon module is writable. The default is disabled when \(dq\&use chroot\(dq\&
264: is on and the inside\-chroot path is \(dq\&/\(dq\&, otherwise it is enabled.
265: .IP
266: If you disable this parameter on a daemon that is not read\-only, there
267: are tricks that a user can play with uploaded symlinks to access
268: daemon\-excluded items (if your module has any), and, if \(dq\&use chroot\(dq\&
269: is off, rsync can even be tricked into showing or changing data that
270: is outside the module\(cq\&s path (as access\-permissions allow).
271: .IP
272: The way rsync disables the use of symlinks is to prefix each one with
273: the string \(dq\&/rsyncd\-munged/\(dq\&. This prevents the links from being used
274: as long as that directory does not exist. When this parameter is enabled,
275: rsync will refuse to run if that path is a directory or a symlink to
276: a directory. When using the \(dq\&munge symlinks\(dq\& parameter in a chroot area
277: that has an inside\-chroot path of \(dq\&/\(dq\&, you should add \(dq\&/rsyncd\-munged/\(dq\&
278: to the exclude setting for the module so that
279: a user can\(cq\&t try to create it.
280: .IP
281: Note: rsync makes no attempt to verify that any pre\-existing symlinks in
282: the module\(cq\&s hierarchy are as safe as you want them to be (unless, of
283: course, it just copied in the whole hierarchy). If you setup an rsync
284: daemon on a new area or locally add symlinks, you can manually protect your
285: symlinks from being abused by prefixing \(dq\&/rsyncd\-munged/\(dq\& to the start of
286: every symlink\(cq\&s value. There is a perl script in the support directory
287: of the source code named \(dq\&munge\-symlinks\(dq\& that can be used to add or remove
288: this prefix from your symlinks.
289: .IP
290: When this parameter is disabled on a writable module and \(dq\&use chroot\(dq\& is off
291: (or the inside\-chroot path is not \(dq\&/\(dq\&),
292: incoming symlinks will be modified to drop a leading slash and to remove \(dq\&..\(dq\&
293: path elements that rsync believes will allow a symlink to escape the module\(cq\&s
294: hierarchy. There are tricky ways to work around this, though, so you had
295: better trust your users if you choose this combination of parameters.
296: .IP
297: .IP "\fBcharset\fP"
298: This specifies the name of the character set in which the
299: module\(cq\&s filenames are stored. If the client uses an \fB\-\-iconv\fP option,
300: the daemon will use the value of the \(dq\&charset\(dq\& parameter regardless of the
301: character set the client actually passed. This allows the daemon to
302: support charset conversion in a chroot module without extra files in the
303: chroot area, and also ensures that name\-translation is done in a consistent
304: manner. If the \(dq\&charset\(dq\& parameter is not set, the \fB\-\-iconv\fP option is
305: refused, just as if \(dq\&iconv\(dq\& had been specified via \(dq\&refuse options\(dq\&.
306: .IP
307: If you wish to force users to always use \fB\-\-iconv\fP for a particular
308: module, add \(dq\&no\-iconv\(dq\& to the \(dq\&refuse options\(dq\& parameter. Keep in mind
309: that this will restrict access to your module to very new rsync clients.
310: .IP
311: .IP "\fBmax connections\fP"
312: This parameter allows you to
313: specify the maximum number of simultaneous connections you will allow.
314: Any clients connecting when the maximum has been reached will receive a
315: message telling them to try later. The default is 0, which means no limit.
316: A negative value disables the module.
317: See also the \(dq\&lock file\(dq\& parameter.
318: .IP
319: .IP "\fBlog file\fP"
320: When the \(dq\&log file\(dq\& parameter is set to a non\-empty
321: string, the rsync daemon will log messages to the indicated file rather
322: than using syslog. This is particularly useful on systems (such as AIX)
323: where
324: \f(CWsyslog()\fP
325: doesn\(cq\&t work for chrooted programs. The file is
326: opened before
327: \f(CWchroot()\fP
328: is called, allowing it to be placed outside
329: the transfer. If this value is set on a per\-module basis instead of
330: globally, the global log will still contain any authorization failures
331: or config\-file error messages.
332: .IP
333: If the daemon fails to open the specified file, it will fall back to
334: using syslog and output an error about the failure. (Note that the
335: failure to open the specified log file used to be a fatal error.)
336: .IP
1.1.1.2 ! misho 337: This setting can be overridden by using the \fB\-\-log\-file=FILE\fP or
! 338: \fB\-\-dparam=logfile=FILE\fP command\-line options. The former overrides
! 339: all the log\-file parameters of the daemon and all module settings.
! 340: The latter sets the daemon\(cq\&s log file and the default for all the
! 341: modules, which still allows modules to override the default setting.
! 342: .IP
1.1 misho 343: .IP "\fBsyslog facility\fP"
344: This parameter allows you to
345: specify the syslog facility name to use when logging messages from the
346: rsync daemon. You may use any standard syslog facility name which is
347: defined on your system. Common names are auth, authpriv, cron, daemon,
348: ftp, kern, lpr, mail, news, security, syslog, user, uucp, local0,
349: local1, local2, local3, local4, local5, local6 and local7. The default
350: is daemon. This setting has no effect if the \(dq\&log file\(dq\& setting is a
351: non\-empty string (either set in the per\-modules settings, or inherited
352: from the global settings).
353: .IP
354: .IP "\fBmax verbosity\fP"
355: This parameter allows you to control
356: the maximum amount of verbose information that you\(cq\&ll allow the daemon to
357: generate (since the information goes into the log file). The default is 1,
358: which allows the client to request one level of verbosity.
359: .IP
360: .IP "\fBlock file\fP"
361: This parameter specifies the file to use to
362: support the \(dq\&max connections\(dq\& parameter. The rsync daemon uses record
363: locking on this file to ensure that the max connections limit is not
364: exceeded for the modules sharing the lock file.
365: The default is \f(CW/var/run/rsyncd.lock\fP.
366: .IP
367: .IP "\fBread only\fP"
368: This parameter determines whether clients
369: will be able to upload files or not. If \(dq\&read only\(dq\& is true then any
370: attempted uploads will fail. If \(dq\&read only\(dq\& is false then uploads will
371: be possible if file permissions on the daemon side allow them. The default
372: is for all modules to be read only.
373: .IP
1.1.1.2 ! misho 374: Note that \(dq\&auth users\(dq\& can override this setting on a per\-user basis.
! 375: .IP
1.1 misho 376: .IP "\fBwrite only\fP"
377: This parameter determines whether clients
378: will be able to download files or not. If \(dq\&write only\(dq\& is true then any
379: attempted downloads will fail. If \(dq\&write only\(dq\& is false then downloads
380: will be possible if file permissions on the daemon side allow them. The
381: default is for this parameter to be disabled.
382: .IP
383: .IP "\fBlist\fP"
1.1.1.2 ! misho 384: This parameter determines whether this module is
! 385: listed when the client asks for a listing of available modules. In addition,
! 386: if this is false, the daemon will pretend the module does not exist
! 387: when a client denied by \(dq\&hosts allow\(dq\& or \(dq\&hosts deny\(dq\& attempts to access it.
! 388: Realize that if \(dq\&reverse lookup\(dq\& is disabled globally but enabled for the
! 389: module, the resulting reverse lookup to a potentially client\-controlled DNS
! 390: server may still reveal to the client that it hit an existing module.
! 391: The default is for modules to be listable.
1.1 misho 392: .IP
393: .IP "\fBuid\fP"
394: This parameter specifies the user name or user ID that
395: file transfers to and from that module should take place as when the daemon
396: was run as root. In combination with the \(dq\&gid\(dq\& parameter this determines what
1.1.1.2 ! misho 397: file permissions are available. The default when run by a super\-user is to
! 398: switch to the system\(cq\&s \(dq\&nobody\(dq\& user. The default for a non\-super\-user is to
! 399: not try to change the user. See also the \(dq\&gid\(dq\& parameter.
! 400: .IP
! 401: The RSYNC_USER_NAME environment variable may be used to request that rsync run
! 402: as the authorizing user. For example, if you want a rsync to run as the same
! 403: user that was received for the rsync authentication, this setup is useful:
! 404: .IP
! 405: .nf
! 406: uid = %RSYNC_USER_NAME%
! 407: gid = *
! 408: .fi
! 409:
1.1 misho 410: .IP
411: .IP "\fBgid\fP"
1.1.1.2 ! misho 412: This parameter specifies one or more group names/IDs that will be
! 413: used when accessing the module. The first one will be the default group, and
! 414: any extra ones be set as supplemental groups. You may also specify a \(dq\&*\(dq\& as
! 415: the first gid in the list, which will be replaced by all the normal groups for
! 416: the transfer\(cq\&s user (see \(dq\&uid\(dq\&). The default when run by a super\-user is to
! 417: switch to your OS\(cq\&s \(dq\&nobody\(dq\& (or perhaps \(dq\&nogroup\(dq\&) group with no other
! 418: supplementary groups. The default for a non\-super\-user is to not change any
! 419: group attributes (and indeed, your OS may not allow a non\-super\-user to try to
! 420: change their group settings).
1.1 misho 421: .IP
422: .IP "\fBfake super\fP"
423: Setting \(dq\&fake super = yes\(dq\& for a module causes the
424: daemon side to behave as if the \fB\-\-fake\-super\fP command\-line option had
425: been specified. This allows the full attributes of a file to be stored
426: without having to have the daemon actually running as root.
427: .IP
428: .IP "\fBfilter\fP"
429: The daemon has its own filter chain that determines what files
430: it will let the client access. This chain is not sent to the client and is
431: independent of any filters the client may have specified. Files excluded by
432: the daemon filter chain (\fBdaemon\-excluded\fP files) are treated as non\-existent
433: if the client tries to pull them, are skipped with an error message if the
434: client tries to push them (triggering exit code 23), and are never deleted from
435: the module. You can use daemon filters to prevent clients from downloading or
436: tampering with private administrative files, such as files you may add to
437: support uid/gid name translations.
438: .IP
439: The daemon filter chain is built from the \(dq\&filter\(dq\&, \(dq\&include from\(dq\&, \(dq\&include\(dq\&,
440: \(dq\&exclude from\(dq\&, and \(dq\&exclude\(dq\& parameters, in that order of priority. Anchored
441: patterns are anchored at the root of the module. To prevent access to an
442: entire subtree, for example, \(dq\&/secret\(dq\&, you \fImust\fP exclude everything in the
443: subtree; the easiest way to do this is with a triple\-star pattern like
444: \(dq\&/secret/***\(dq\&.
445: .IP
446: The \(dq\&filter\(dq\& parameter takes a space\-separated list of daemon filter rules,
447: though it is smart enough to know not to split a token at an internal space in
448: a rule (e.g. \(dq\&\- /foo \- /bar\(dq\& is parsed as two rules). You may specify one or
449: more merge\-file rules using the normal syntax. Only one \(dq\&filter\(dq\& parameter can
450: apply to a given module in the config file, so put all the rules you want in a
451: single parameter. Note that per\-directory merge\-file rules do not provide as
452: much protection as global rules, but they can be used to make \fB\-\-delete\fP work
453: better during a client download operation if the per\-dir merge files are
454: included in the transfer and the client requests that they be used.
455: .IP
456: .IP "\fBexclude\fP"
457: This parameter takes a space\-separated list of daemon
458: exclude patterns. As with the client \fB\-\-exclude\fP option, patterns can be
459: qualified with \(dq\&\- \(dq\& or \(dq\&+ \(dq\& to explicitly indicate exclude/include. Only one
460: \(dq\&exclude\(dq\& parameter can apply to a given module. See the \(dq\&filter\(dq\& parameter
461: for a description of how excluded files affect the daemon.
462: .IP
463: .IP "\fBinclude\fP"
464: Use an \(dq\&include\(dq\& to override the effects of the \(dq\&exclude\(dq\&
465: parameter. Only one \(dq\&include\(dq\& parameter can apply to a given module. See the
466: \(dq\&filter\(dq\& parameter for a description of how excluded files affect the daemon.
467: .IP
468: .IP "\fBexclude from\fP"
469: This parameter specifies the name of a file
470: on the daemon that contains daemon exclude patterns, one per line. Only one
471: \(dq\&exclude from\(dq\& parameter can apply to a given module; if you have multiple
472: exclude\-from files, you can specify them as a merge file in the \(dq\&filter\(dq\&
473: parameter. See the \(dq\&filter\(dq\& parameter for a description of how excluded files
474: affect the daemon.
475: .IP
476: .IP "\fBinclude from\fP"
477: Analogue of \(dq\&exclude from\(dq\& for a file of daemon include
478: patterns. Only one \(dq\&include from\(dq\& parameter can apply to a given module. See
479: the \(dq\&filter\(dq\& parameter for a description of how excluded files affect the
480: daemon.
481: .IP
482: .IP "\fBincoming chmod\fP"
483: This parameter allows you to specify a set of
484: comma\-separated chmod strings that will affect the permissions of all
485: incoming files (files that are being received by the daemon). These
486: changes happen after all other permission calculations, and this will
487: even override destination\-default and/or existing permissions when the
488: client does not specify \fB\-\-perms\fP.
489: See the description of the \fB\-\-chmod\fP rsync option and the \fBchmod\fP(1)
490: manpage for information on the format of this string.
491: .IP
492: .IP "\fBoutgoing chmod\fP"
493: This parameter allows you to specify a set of
494: comma\-separated chmod strings that will affect the permissions of all
495: outgoing files (files that are being sent out from the daemon). These
496: changes happen first, making the sent permissions appear to be different
497: than those stored in the filesystem itself. For instance, you could
498: disable group write permissions on the server while having it appear to
499: be on to the clients.
500: See the description of the \fB\-\-chmod\fP rsync option and the \fBchmod\fP(1)
501: manpage for information on the format of this string.
502: .IP
503: .IP "\fBauth users\fP"
1.1.1.2 ! misho 504: This parameter specifies a comma and/or space\-separated
! 505: list of authorization rules. In its simplest form, you list the usernames
! 506: that will be allowed to connect to
1.1 misho 507: this module. The usernames do not need to exist on the local
1.1.1.2 ! misho 508: system. The rules may contain shell wildcard characters that will be matched
! 509: against the username provided by the client for authentication. If
1.1 misho 510: \(dq\&auth users\(dq\& is set then the client will be challenged to supply a
511: username and password to connect to the module. A challenge response
512: authentication protocol is used for this exchange. The plain text
513: usernames and passwords are stored in the file specified by the
514: \(dq\&secrets file\(dq\& parameter. The default is for all users to be able to
515: connect without a password (this is called \(dq\&anonymous rsync\(dq\&).
516: .IP
1.1.1.2 ! misho 517: In addition to username matching, you can specify groupname matching via a \(cq\&@\(cq\&
! 518: prefix. When using groupname matching, the authenticating username must be a
! 519: real user on the system, or it will be assumed to be a member of no groups.
! 520: For example, specifying \(dq\&@rsync\(dq\& will match the authenticating user if the
! 521: named user is a member of the rsync group.
! 522: .IP
! 523: Finally, options may be specified after a colon (:). The options allow you to
! 524: \(dq\&deny\(dq\& a user or a group, set the access to \(dq\&ro\(dq\& (read\-only), or set the access
! 525: to \(dq\&rw\(dq\& (read/write). Setting an auth\-rule\-specific ro/rw setting overrides
! 526: the module\(cq\&s \(dq\&read only\(dq\& setting.
! 527: .IP
! 528: Be sure to put the rules in the order you want them to be matched, because the
! 529: checking stops at the first matching user or group, and that is the only auth
! 530: that is checked. For example:
! 531: .IP
! 532: .nf
! 533: auth users = joe:deny @guest:deny admin:rw @rsync:ro susan joe sam
! 534: .fi
! 535:
! 536: .IP
! 537: In the above rule, user joe will be denied access no matter what. Any user
! 538: that is in the group \(dq\&guest\(dq\& is also denied access. The user \(dq\&admin\(dq\& gets
! 539: access in read/write mode, but only if the admin user is not in group \(dq\&guest\(dq\&
! 540: (because the admin user\-matching rule would never be reached if the user is in
! 541: group \(dq\&guest\(dq\&). Any other user who is in group \(dq\&rsync\(dq\& will get read\-only
! 542: access. Finally, users susan, joe, and sam get the ro/rw setting of the
! 543: module, but only if the user didn\(cq\&t match an earlier group\-matching rule.
! 544: .IP
! 545: See the description of the secrets file for how you can have per\-user passwords
! 546: as well as per\-group passwords. It also explains how a user can authenticate
! 547: using their user password or (when applicable) a group password, depending on
! 548: what rule is being authenticated.
! 549: .IP
1.1 misho 550: See also the section entitled \(dq\&USING RSYNC\-DAEMON FEATURES VIA A REMOTE
551: SHELL CONNECTION\(dq\& in \fBrsync\fP(1) for information on how handle an
552: rsyncd.conf\-level username that differs from the remote\-shell\-level
553: username when using a remote shell to connect to an rsync daemon.
554: .IP
555: .IP "\fBsecrets file\fP"
1.1.1.2 ! misho 556: This parameter specifies the name of a file that contains
! 557: the username:password and/or @groupname:password pairs used for authenticating
! 558: this module. This file is only consulted if the \(dq\&auth users\(dq\& parameter is
! 559: specified. The file is line\-based and contains one name:password pair per
! 560: line. Any line has a hash (#) as the very first character on the line is
! 561: considered a comment and is skipped. The passwords can contain any characters
! 562: but be warned that many operating systems limit the length of passwords that
! 563: can be typed at the client end, so you may find that passwords longer than 8
! 564: characters don\(cq\&t work.
! 565: .IP
! 566: The use of group\-specific lines are only relevant when the module is being
! 567: authorized using a matching \(dq\&@groupname\(dq\& rule. When that happens, the user
! 568: can be authorized via either their \(dq\&username:password\(dq\& line or the
! 569: \(dq\&@groupname:password\(dq\& line for the group that triggered the authentication.
! 570: .IP
! 571: It is up to you what kind of password entries you want to include, either
! 572: users, groups, or both. The use of group rules in \(dq\&auth users\(dq\& does not
! 573: require that you specify a group password if you do not want to use shared
! 574: passwords.
1.1 misho 575: .IP
576: There is no default for the \(dq\&secrets file\(dq\& parameter, you must choose a name
577: (such as \f(CW/etc/rsyncd.secrets\fP). The file must normally not be readable
1.1.1.2 ! misho 578: by \(dq\&other\(dq\&; see \(dq\&strict modes\(dq\&. If the file is not found or is rejected, no
! 579: logins for a \(dq\&user auth\(dq\& module will be possible.
1.1 misho 580: .IP
581: .IP "\fBstrict modes\fP"
582: This parameter determines whether or not
583: the permissions on the secrets file will be checked. If \(dq\&strict modes\(dq\& is
584: true, then the secrets file must not be readable by any user ID other
585: than the one that the rsync daemon is running under. If \(dq\&strict modes\(dq\& is
586: false, the check is not performed. The default is true. This parameter
587: was added to accommodate rsync running on the Windows operating system.
588: .IP
589: .IP "\fBhosts allow\fP"
590: This parameter allows you to specify a
591: list of patterns that are matched against a connecting clients
592: hostname and IP address. If none of the patterns match then the
593: connection is rejected.
594: .IP
595: Each pattern can be in one of five forms:
596: .IP
597: .RS
598: .IP o
599: a dotted decimal IPv4 address of the form a.b.c.d, or an IPv6 address
600: of the form a:b:c::d:e:f. In this case the incoming machine\(cq\&s IP address
601: must match exactly.
602: .IP o
603: an address/mask in the form ipaddr/n where ipaddr is the IP address
604: and n is the number of one bits in the netmask. All IP addresses which
605: match the masked IP address will be allowed in.
606: .IP o
607: an address/mask in the form ipaddr/maskaddr where ipaddr is the
608: IP address and maskaddr is the netmask in dotted decimal notation for IPv4,
609: or similar for IPv6, e.g. ffff:ffff:ffff:ffff:: instead of /64. All IP
610: addresses which match the masked IP address will be allowed in.
611: .IP o
1.1.1.2 ! misho 612: a hostname pattern using wildcards. If the hostname of the connecting IP
! 613: (as determined by a reverse lookup) matches the wildcarded name (using the
! 614: same rules as normal unix filename matching), the client is allowed in. This
! 615: only works if \(dq\&reverse lookup\(dq\& is enabled (the default).
! 616: .IP o
! 617: a hostname. A plain hostname is matched against the reverse DNS of the
! 618: connecting IP (if \(dq\&reverse lookup\(dq\& is enabled), and/or the IP of the given
! 619: hostname is matched against the connecting IP (if \(dq\&forward lookup\(dq\& is
! 620: enabled, as it is by default). Any match will be allowed in.
1.1 misho 621: .RE
622:
623: .IP
624: Note IPv6 link\-local addresses can have a scope in the address specification:
625: .IP
626: .RS
627: \f(CW fe80::1%link1\fP
628: .br
629: \f(CW fe80::%link1/64\fP
630: .br
631: \f(CW fe80::%link1/ffff:ffff:ffff:ffff::\fP
632: .br
633: .RE
634:
635: .IP
636: You can also combine \(dq\&hosts allow\(dq\& with a separate \(dq\&hosts deny\(dq\&
637: parameter. If both parameters are specified then the \(dq\&hosts allow\(dq\& parameter is
638: checked first and a match results in the client being able to
639: connect. The \(dq\&hosts deny\(dq\& parameter is then checked and a match means
640: that the host is rejected. If the host does not match either the
641: \(dq\&hosts allow\(dq\& or the \(dq\&hosts deny\(dq\& patterns then it is allowed to
642: connect.
643: .IP
644: The default is no \(dq\&hosts allow\(dq\& parameter, which means all hosts can connect.
645: .IP
646: .IP "\fBhosts deny\fP"
647: This parameter allows you to specify a
648: list of patterns that are matched against a connecting clients
649: hostname and IP address. If the pattern matches then the connection is
650: rejected. See the \(dq\&hosts allow\(dq\& parameter for more information.
651: .IP
652: The default is no \(dq\&hosts deny\(dq\& parameter, which means all hosts can connect.
653: .IP
1.1.1.2 ! misho 654: .IP "\fBreverse lookup\fP"
! 655: Controls whether the daemon performs a reverse lookup
! 656: on the client\(cq\&s IP address to determine its hostname, which is used for
! 657: \(dq\&hosts allow\(dq\&/\(dq\&hosts deny\(dq\& checks and the \(dq\&%h\(dq\& log escape. This is enabled by
! 658: default, but you may wish to disable it to save time if you know the lookup will
! 659: not return a useful result, in which case the daemon will use the name
! 660: \(dq\&UNDETERMINED\(dq\& instead.
! 661: .IP
! 662: If this parameter is enabled globally (even by default), rsync performs the
! 663: lookup as soon as a client connects, so disabling it for a module will not
! 664: avoid the lookup. Thus, you probably want to disable it globally and then
! 665: enable it for modules that need the information.
! 666: .IP
! 667: .IP "\fBforward lookup\fP"
! 668: Controls whether the daemon performs a forward lookup
! 669: on any hostname specified in an hosts allow/deny setting. By default this is
! 670: enabled, allowing the use of an explicit hostname that would not be returned
! 671: by reverse DNS of the connecting IP.
! 672: .IP
1.1 misho 673: .IP "\fBignore errors\fP"
674: This parameter tells rsyncd to
675: ignore I/O errors on the daemon when deciding whether to run the delete
676: phase of the transfer. Normally rsync skips the \fB\-\-delete\fP step if any
677: I/O errors have occurred in order to prevent disastrous deletion due
678: to a temporary resource shortage or other I/O error. In some cases this
679: test is counter productive so you can use this parameter to turn off this
680: behavior.
681: .IP
682: .IP "\fBignore nonreadable\fP"
683: This tells the rsync daemon to completely
684: ignore files that are not readable by the user. This is useful for
685: public archives that may have some non\-readable files among the
686: directories, and the sysadmin doesn\(cq\&t want those files to be seen at all.
687: .IP
688: .IP "\fBtransfer logging\fP"
689: This parameter enables per\-file
690: logging of downloads and uploads in a format somewhat similar to that
691: used by ftp daemons. The daemon always logs the transfer at the end, so
692: if a transfer is aborted, no mention will be made in the log file.
693: .IP
694: If you want to customize the log lines, see the \(dq\&log format\(dq\& parameter.
695: .IP
696: .IP "\fBlog format\fP"
697: This parameter allows you to specify the
698: format used for logging file transfers when transfer logging is enabled.
699: The format is a text string containing embedded single\-character escape
700: sequences prefixed with a percent (%) character. An optional numeric
701: field width may also be specified between the percent and the escape
702: letter (e.g. \(dq\&\fB%\-50n %8l %07p\fP\(dq\&).
1.1.1.2 ! misho 703: In addition, one or more apostrophes may be specified prior to a numerical
! 704: escape to indicate that the numerical value should be made more human\-readable.
! 705: The 3 supported levels are the same as for the \fB\-\-human\-readable\fP
! 706: command\-line option, though the default is for human\-readability to be off.
! 707: Each added apostrophe increases the level (e.g. \(dq\&\fB%'\&'\&l %'\&b %f\fP\(dq\&).
1.1 misho 708: .IP
709: The default log format is \(dq\&%o %h [%a] %m (%u) %f %l\(dq\&, and a \(dq\&%t [%p] \(dq\&
710: is always prefixed when using the \(dq\&log file\(dq\& parameter.
711: (A perl script that will summarize this default log format is included
712: in the rsync source code distribution in the \(dq\&support\(dq\& subdirectory:
713: rsyncstats.)
714: .IP
715: The single\-character escapes that are understood are as follows:
716: .IP
717: .RS
718: .IP o
1.1.1.2 ! misho 719: %a the remote IP address (only available for a daemon)
1.1 misho 720: .IP o
721: %b the number of bytes actually transferred
722: .IP o
723: %B the permission bits of the file (e.g. rwxrwxrwt)
724: .IP o
725: %c the total size of the block checksums received for the basis file (only when sending)
726: .IP o
1.1.1.2 ! misho 727: %C the full\-file MD5 checksum if \fB\-\-checksum\fP is enabled or a file was transferred (only for protocol 30 or above).
! 728: .IP o
1.1 misho 729: %f the filename (long form on sender; no trailing \(dq\&/\(dq\&)
730: .IP o
731: %G the gid of the file (decimal) or \(dq\&DEFAULT\(dq\&
732: .IP o
1.1.1.2 ! misho 733: %h the remote host name (only available for a daemon)
1.1 misho 734: .IP o
735: %i an itemized list of what is being updated
736: .IP o
737: %l the length of the file in bytes
738: .IP o
739: %L the string \(dq\& \-> SYMLINK\(dq\&, \(dq\& => HARDLINK\(dq\&, or \(dq\&\(dq\& (where \fBSYMLINK\fP or \fBHARDLINK\fP is a filename)
740: .IP o
741: %m the module name
742: .IP o
743: %M the last\-modified time of the file
744: .IP o
745: %n the filename (short form; trailing \(dq\&/\(dq\& on dir)
746: .IP o
747: %o the operation, which is \(dq\&send\(dq\&, \(dq\&recv\(dq\&, or \(dq\&del.\(dq\& (the latter includes the trailing period)
748: .IP o
749: %p the process ID of this rsync session
750: .IP o
751: %P the module path
752: .IP o
753: %t the current date time
754: .IP o
755: %u the authenticated username or an empty string
756: .IP o
757: %U the uid of the file (decimal)
758: .RE
759:
760: .IP
761: For a list of what the characters mean that are output by \(dq\&%i\(dq\&, see the
762: \fB\-\-itemize\-changes\fP option in the rsync manpage.
763: .IP
764: Note that some of the logged output changes when talking with older
765: rsync versions. For instance, deleted files were only output as verbose
766: messages prior to rsync 2.6.4.
767: .IP
768: .IP "\fBtimeout\fP"
769: This parameter allows you to override the
770: clients choice for I/O timeout for this module. Using this parameter you
771: can ensure that rsync won\(cq\&t wait on a dead client forever. The timeout
772: is specified in seconds. A value of zero means no timeout and is the
773: default. A good choice for anonymous rsync daemons may be 600 (giving
774: a 10 minute timeout).
775: .IP
776: .IP "\fBrefuse options\fP"
777: This parameter allows you to
778: specify a space\-separated list of rsync command line options that will
779: be refused by your rsync daemon.
780: You may specify the full option name, its one\-letter abbreviation, or a
781: wild\-card string that matches multiple options.
782: For example, this would refuse \fB\-\-checksum\fP (\fB\-c\fP) and all the various
783: delete options:
784: .IP
785: .RS
786: \f(CW refuse options = c delete\fP
787: .RE
788:
789: .IP
790: The reason the above refuses all delete options is that the options imply
791: \fB\-\-delete\fP, and implied options are refused just like explicit options.
792: As an additional safety feature, the refusal of \(dq\&delete\(dq\& also refuses
793: \fBremove\-source\-files\fP when the daemon is the sender; if you want the latter
794: without the former, instead refuse \(dq\&delete\-*\(dq\& \-\- that refuses all the
795: delete modes without affecting \fB\-\-remove\-source\-files\fP.
796: .IP
797: When an option is refused, the daemon prints an error message and exits.
798: To prevent all compression when serving files,
799: you can use \(dq\&dont compress = *\(dq\& (see below)
800: instead of \(dq\&refuse options = compress\(dq\& to avoid returning an error to a
801: client that requests compression.
802: .IP
803: .IP "\fBdont compress\fP"
804: This parameter allows you to select
805: filenames based on wildcard patterns that should not be compressed
806: when pulling files from the daemon (no analogous parameter exists to
807: govern the pushing of files to a daemon).
808: Compression is expensive in terms of CPU usage, so it
809: is usually good to not try to compress files that won\(cq\&t compress well,
810: such as already compressed files.
811: .IP
812: The \(dq\&dont compress\(dq\& parameter takes a space\-separated list of
813: case\-insensitive wildcard patterns. Any source filename matching one
814: of the patterns will not be compressed during transfer.
815: .IP
816: See the \fB\-\-skip\-compress\fP parameter in the \fBrsync\fP(1) manpage for the list
817: of file suffixes that are not compressed by default. Specifying a value
818: for the \(dq\&dont compress\(dq\& parameter changes the default when the daemon is
819: the sender.
820: .IP
821: .IP "\fBpre\-xfer exec\fP, \fBpost\-xfer exec\fP"
822: You may specify a command to be run
823: before and/or after the transfer. If the \fBpre\-xfer exec\fP command fails, the
1.1.1.2 ! misho 824: transfer is aborted before it begins. Any output from the script on stdout (up
! 825: to several KB) will be displayed to the user when aborting, but is NOT
! 826: displayed if the script returns success. Any output from the script on stderr
! 827: goes to the daemon\(cq\&s stderr, which is typically discarded (though see
! 828: \-\-no\-detatch option for a way to see the stderr output, which can assist with
! 829: debugging).
1.1 misho 830: .IP
831: The following environment variables will be set, though some are
832: specific to the pre\-xfer or the post\-xfer environment:
833: .IP
834: .RS
835: .IP o
836: \fBRSYNC_MODULE_NAME\fP: The name of the module being accessed.
837: .IP o
838: \fBRSYNC_MODULE_PATH\fP: The path configured for the module.
839: .IP o
840: \fBRSYNC_HOST_ADDR\fP: The accessing host\(cq\&s IP address.
841: .IP o
842: \fBRSYNC_HOST_NAME\fP: The accessing host\(cq\&s name.
843: .IP o
844: \fBRSYNC_USER_NAME\fP: The accessing user\(cq\&s name (empty if no user).
845: .IP o
846: \fBRSYNC_PID\fP: A unique number for this transfer.
847: .IP o
848: \fBRSYNC_REQUEST\fP: (pre\-xfer only) The module/path info specified
1.1.1.2 ! misho 849: by the user. Note that the user can specify multiple source files,
! 850: so the request can be something like \(dq\&mod/path1 mod/path2\(dq\&, etc.
1.1 misho 851: .IP o
852: \fBRSYNC_ARG#\fP: (pre\-xfer only) The pre\-request arguments are set
1.1.1.2 ! misho 853: in these numbered values. RSYNC_ARG0 is always \(dq\&rsyncd\(dq\&, followed by
! 854: the options that were used in RSYNC_ARG1, and so on. There will be a
! 855: value of \(dq\&.\(dq\& indicating that the options are done and the path args
! 856: are beginning \-\- these contain similar information to RSYNC_REQUEST,
! 857: but with values separated and the module name stripped off.
1.1 misho 858: .IP o
859: \fBRSYNC_EXIT_STATUS\fP: (post\-xfer only) the server side\(cq\&s exit value.
860: This will be 0 for a successful run, a positive value for an error that the
861: server generated, or a \-1 if rsync failed to exit properly. Note that an
862: error that occurs on the client side does not currently get sent to the
863: server side, so this is not the final exit status for the whole transfer.
864: .IP o
865: \fBRSYNC_RAW_STATUS\fP: (post\-xfer only) the raw exit value from
866: \f(CWwaitpid()\fP
867: \&.
868: .RE
869:
870: .IP
871: Even though the commands can be associated with a particular module, they
872: are run using the permissions of the user that started the daemon (not the
873: module\(cq\&s uid/gid setting) without any chroot restrictions.
874: .IP
1.1.1.2 ! misho 875: .SH "CONFIG DIRECTIVES"
! 876:
! 877: .PP
! 878: There are currently two config directives available that allow a config file to
! 879: incorporate the contents of other files: \fB&include\fP and \fB&merge\fP. Both
! 880: allow a reference to either a file or a directory. They differ in how
! 881: segregated the file\(cq\&s contents are considered to be.
! 882: .PP
! 883: The \fB&include\fP directive treats each file as more distinct, with each one
! 884: inheriting the defaults of the parent file, starting the parameter parsing
! 885: as globals/defaults, and leaving the defaults unchanged for the parsing of
! 886: the rest of the parent file.
! 887: .PP
! 888: The \fB&merge\fP directive, on the other hand, treats the file\(cq\&s contents as
! 889: if it were simply inserted in place of the directive, and thus it can set
! 890: parameters in a module started in another file, can affect the defaults for
! 891: other files, etc.
! 892: .PP
! 893: When an \fB&include\fP or \fB&merge\fP directive refers to a directory, it will read
! 894: in all the \fB*.conf\fP or \fB*.inc\fP files (respectively) that are contained inside
! 895: that directory (without any
! 896: recursive scanning), with the files sorted into alpha order. So, if you have a
! 897: directory named \(dq\&rsyncd.d\(dq\& with the files \(dq\&foo.conf\(dq\&, \(dq\&bar.conf\(dq\&, and
! 898: \(dq\&baz.conf\(dq\& inside it, this directive:
! 899: .PP
! 900: .nf
! 901: &include /path/rsyncd.d
! 902: .fi
! 903:
! 904: .PP
! 905: would be the same as this set of directives:
! 906: .PP
! 907: .nf
! 908: &include /path/rsyncd.d/bar.conf
! 909: &include /path/rsyncd.d/baz.conf
! 910: &include /path/rsyncd.d/foo.conf
! 911: .fi
! 912:
! 913: .PP
! 914: except that it adjusts as files are added and removed from the directory.
! 915: .PP
! 916: The advantage of the \fB&include\fP directive is that you can define one or more
! 917: modules in a separate file without worrying about unintended side\-effects
! 918: between the self\-contained module files.
! 919: .PP
! 920: The advantage of the \fB&merge\fP directive is that you can load config snippets
! 921: that can be included into multiple module definitions, and you can also set
! 922: global values that will affect connections (such as \fBmotd file\fP), or globals
! 923: that will affect other include files.
! 924: .PP
! 925: For example, this is a useful /etc/rsyncd.conf file:
! 926: .PP
! 927: .nf
! 928: port = 873
! 929: log file = /var/log/rsync.log
! 930: pid file = /var/lock/rsync.lock
! 931:
! 932: &merge /etc/rsyncd.d
! 933: &include /etc/rsyncd.d
! 934: .fi
! 935:
! 936: .PP
! 937: This would merge any /etc/rsyncd.d/*.inc files (for global values that should
! 938: stay in effect), and then include any /etc/rsyncd.d/*.conf files (defining
! 939: modules without any global\-value cross\-talk).
! 940: .PP
1.1 misho 941: .SH "AUTHENTICATION STRENGTH"
942:
943: .PP
944: The authentication protocol used in rsync is a 128 bit MD4 based
945: challenge response system. This is fairly weak protection, though (with
946: at least one brute\-force hash\-finding algorithm publicly available), so
947: if you want really top\-quality security, then I recommend that you run
948: rsync over ssh. (Yes, a future version of rsync will switch over to a
949: stronger hashing method.)
950: .PP
951: Also note that the rsync daemon protocol does not currently provide any
952: encryption of the data that is transferred over the connection. Only
953: authentication is provided. Use ssh as the transport if you want
954: encryption.
955: .PP
956: Future versions of rsync may support SSL for better authentication and
957: encryption, but that is still being investigated.
958: .PP
959: .SH "EXAMPLES"
960:
961: .PP
962: A simple rsyncd.conf file that allow anonymous rsync to a ftp area at
963: \f(CW/home/ftp\fP would be:
964: .PP
965: .nf
966:
967: [ftp]
968: path = /home/ftp
969: comment = ftp export area
970:
971: .fi
972:
973: .PP
974: A more sophisticated example would be:
975: .PP
976: .nf
977:
978: uid = nobody
979: gid = nobody
980: use chroot = yes
981: max connections = 4
982: syslog facility = local5
983: pid file = /var/run/rsyncd.pid
984:
985: [ftp]
986: path = /var/ftp/./pub
987: comment = whole ftp area (approx 6.1 GB)
988:
989: [sambaftp]
990: path = /var/ftp/./pub/samba
991: comment = Samba ftp area (approx 300 MB)
992:
993: [rsyncftp]
994: path = /var/ftp/./pub/rsync
995: comment = rsync ftp area (approx 6 MB)
996:
997: [sambawww]
998: path = /public_html/samba
999: comment = Samba WWW pages (approx 240 MB)
1000:
1001: [cvs]
1002: path = /data/cvs
1003: comment = CVS repository (requires authentication)
1004: auth users = tridge, susan
1005: secrets file = /etc/rsyncd.secrets
1006:
1007: .fi
1008:
1009: .PP
1010: The /etc/rsyncd.secrets file would look something like this:
1011: .PP
1012: .RS
1013: \f(CWtridge:mypass\fP
1014: .br
1015: \f(CWsusan:herpass\fP
1016: .br
1017: .RE
1018:
1019: .PP
1020: .SH "FILES"
1021:
1022: .PP
1023: /etc/rsyncd.conf or rsyncd.conf
1024: .PP
1025: .SH "SEE ALSO"
1026:
1027: .PP
1028: \fBrsync\fP(1)
1029: .PP
1030: .SH "DIAGNOSTICS"
1031:
1032: .PP
1033: .SH "BUGS"
1034:
1035: .PP
1036: Please report bugs! The rsync bug tracking system is online at
1037: http://rsync.samba.org/
1038: .PP
1039: .SH "VERSION"
1040:
1041: .PP
1.1.1.2 ! misho 1042: This man page is current for version 3.1.0 of rsync.
1.1 misho 1043: .PP
1044: .SH "CREDITS"
1045:
1046: .PP
1.1.1.2 ! misho 1047: rsync is distributed under the GNU General Public License. See the file
1.1 misho 1048: COPYING for details.
1049: .PP
1050: The primary ftp site for rsync is
1051: ftp://rsync.samba.org/pub/rsync.
1052: .PP
1053: A WEB site is available at
1054: http://rsync.samba.org/
1055: .PP
1056: We would be delighted to hear from you if you like this program.
1057: .PP
1058: This program uses the zlib compression library written by Jean\-loup
1059: Gailly and Mark Adler.
1060: .PP
1061: .SH "THANKS"
1062:
1063: .PP
1064: Thanks to Warren Stanley for his original idea and patch for the rsync
1065: daemon. Thanks to Karsten Thygesen for his many suggestions and
1066: documentation!
1067: .PP
1068: .SH "AUTHOR"
1069:
1070: .PP
1071: rsync was written by Andrew Tridgell and Paul Mackerras.
1072: Many people have later contributed to it.
1073: .PP
1074: Mailing lists for support and development are available at
1075: http://lists.samba.org
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>