[Yum] yum-suck available

Robert G. Brown rgb at phy.duke.edu
Wed Jul 30 21:03:48 UTC 2003


On 30 Jul 2003, Aleksander Demko wrote:

> On Tue, 2003-07-29 at 21:45, Tom Diehl wrote:
> > If you can do ssh you can usually do rsync. Just add a "-e ssh" to the 
> > rsync command line. rsync is a truely wonderful program for mirroring
> > stuff.
> 
> Almost. The DMZed machine itself cannot open ANY sockets to the outside
> world - only respond to httpd and ssh requests. So what I did is I

Wow!  That's paranoid!  I can understand controlling the sockets it
offers, as buffer overwrite attacks on daemons (sometimes even including
httpd and sshd:-) are a standard cracker point of egress, but what
exactly is the motivation for preventing outgoing connections under the
direct control of its systems person, in particular outgoing ssh or
outgoing rsync?  In double particular outgoing connections that could be
made (if you are as paranoid as you appear to be) as a non-root
unprivileged user on the server that exists only to own the
to-be-mirrored repository, such as "nobody".

> ssh'ed INTO it and used -R port:some.proxy:port so the server tunnels
> http requests back down my ssh connection and to a proxy, and then to
> the rest of the world.

If you can ssh into it with the -R trick, then the methodology I used to
set up my yum tunnel should work for you to set up an rsync tunnel with
no need for a proxy.  Recipe:

 Given a system myhost from which rsync to the repository you wish to
 mirror works (according to the test Seth mentioned earlier) rsynchost,
 connect to the insanely paranoid server myserver that regulates
 outgoing port connections (which could only be made, deliberately, by
 its systems staff):

  ssh -l root 873:rsynchost:873 myserver

 (background it or leave this connection running idle in some window).

 Then, on myserver:

  rsync localhost::

 is completely equivalent to

  rsync rsynchost::

 from host myhost.  Except that the files transferred will end up on
 myserver, of course.  Stir well, cook until done.

This works, as I tried it.  The one negative thing is that rsync
>>requires<< a privileged port to work in anonymous mode (at least, so I
grok from experiments and the man page -- you can specify a host:port in
just about any modes BUT anonymous mode) you have to run the ssh
connection to the server as root on myserver.  Alternatively, it has to
be bone simple to hack rsync source to connect to e.g. port 33333 or
some other unprivileged value for anonymous mode so you could replace
the ssh above with just plain

  ssh 33333:rsynchost:873 myserver

and use

  rsync localhost::

thereafter.

I personally think that it makes more sense to just open outgoing
connections to 873 in iptables or ipfilters that are currently blocking
it, but if this is impossible and you have a user account on myhost
outside the firewall and root privileges on myserver inside the
firewall, you should be good to go...

   rgb

-- 
Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu






More information about the Yum mailing list