www-mirrors mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From FTP Administration <ftp...@it.net.au>
Subject Re: Mirroring apache using rsync
Date Sat, 11 Jul 1998 21:46:18 GMT
Hoo, quite a storm my little gumby question produced ...  <grin>

Thanks, all, for the advice of the -l switch.  I shall think about
whether to use it, or whether to pipe rsync's output to /dev/null for
the cron job ...

The messages "Skipping non-regular file" seem a little ambiguous to
me.  As far as I can determine, the symlinks are correct ,,, and I
assume that if some symlinks changed on the remote site, then rsync
would fix mine, as long as I enable "-l".

How about using hard links on the main site, and then we can use the
-H option with rsync?  Then we'd have none of this worrying about bad
symlinks.  <smile>

Seriously though ... on the "how to mirror" page, the instructions are
to use only the -rtvz flags.  For those of us with existing mirrors,
then our symlinks will already be okay.  However, if someone was
starting up a fresh one, or the main site changes their symlinks, then
that rsync command will not produce a faithful mirror of the site.

P'raps the -a flag is okay then, in that light?

(more comments below this lot)

Wojtek Sylwestrzak said:
> > > 
> > > Uhm, is it fine ? 
> > > use -l option to copy symlinks (unless you don't want them for a reason).
> > 
> > Sure, and then if someone breaks into taz and puts a symlink "foo -> /" 
> > then rsync will copy it... which is fine for chroot'd ftpds.  But if you
> > also serve that filespace via a non-chrooted httpd, then you could be
> > opening yourself up to something you don't want. 
> > 
> > Dean
> > 
> 
> Yes, any solution to this ?
> Perhaps areas being mirrored shouldn't have symlinks in the first place,
> and then the mirror process (be it mirror, rsync or whatever) should
> not copy symlinks, assuming they shouldn't exist in the origin server ?
> 
> This seems a more general issue about mirrors accessible outside
> chroot env, though. 
> 
> we are running hundreds of mirrors, and most of them use symlinks internally,
> so we cannot ignore this. On the other hand, we make them all accessible
> with httpd that follows symlinks. We are being quite naive here :-(
> 
> --w

We're not running hundreds of mirrors, but we do have a few.  wu-ftpd
is chrooted, which is fine, and we also serve the files by http, using
Apache.  I followed the advice on Apache's "Security Tips" page, and
did a <Directory /> directive, making / unavailable, and then turning
access back on for the anonymous ftp directory.  This way, a symlink
to / might be visible, and FollowSymLinks might be on, but the server
should not be able to read what the symlink points to.

I strongly advise other people to do the same if they haven't done so
already.  Read "docs/misc/security_tips.html" in your mirror for more
info.  :)

Regards,

Andrew.

--
Andrew Shugg
FTP Administrator         E-mail:  ftpadm@it.net.au
Informed Technology       Web:     http://www.it.net.au/

Mime
View raw message