From: John Audia <redacted>
Date: Sun, 20 Jul 2025 15:54:49 +0000 (-0400)
Subject: rsync: run as regular user rather than as root
X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=2a7364534eb67099e000655b267400a3c885c21b;p=openwrt-packages.git

rsync: run as regular user rather than as root

Rsyncd only needs a subset of all capabilities so create
a dedicated user with these capabilities. This is better from both a
security and an isolation perspective than running as root.

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc

Signed-off-by: John Audia <redacted>
---

diff --git a/net/rsync/Makefile b/net/rsync/Makefile
index 4fd7185f8..ed5a9c832 100644
--- a/net/rsync/Makefile
+++ b/net/rsync/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=rsync
 PKG_VERSION:=3.4.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src
@@ -67,6 +67,7 @@ define Package/rsyncd
   SUBMENU:=File Transfer
   TITLE:=Rsync daemon
   DEPENDS:=+rsync
+  USERID:=rsyncd=976:rsyncd=976
   URL:=https://rsync.samba.org/
 endef
 
@@ -108,6 +109,8 @@ define Package/rsyncd/install
 	$(INSTALL_DATA) ./files/rsyncd.conf $(1)/etc/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/rsyncd.init $(1)/etc/init.d/rsyncd
+	$(INSTALL_DIR) $(1)/etc/capabilities
+	$(INSTALL_DATA) ./files/rsyncd.json $(1)/etc/capabilities
 endef
 
 define Package/rrsync/description
diff --git a/net/rsync/files/rsyncd.init b/net/rsync/files/rsyncd.init
index d226d0f3f..bbcd99db8 100644
--- a/net/rsync/files/rsyncd.init
+++ b/net/rsync/files/rsyncd.init
@@ -10,5 +10,12 @@ PROG=/usr/bin/rsync
 start_service() {
 	procd_open_instance
 	procd_set_param command "$PROG" --daemon --no-detach
+	[ -x /sbin/ujail -a -e /etc/capabilities/rsyncd.json ] && {
+		procd_add_jail rsyncd
+		procd_set_param capabilities /etc/capabilities/rsyncd.json
+		procd_set_param user rsyncd
+		procd_set_param group rsyncd
+		procd_set_param no_new_privs 1
+	}
 	procd_close_instance
 }
diff --git a/net/rsync/files/rsyncd.json b/net/rsync/files/rsyncd.json
new file mode 100644
index 000000000..0f3f40f49
--- /dev/null
+++ b/net/rsync/files/rsyncd.json
@@ -0,0 +1,37 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	]
+}