rsync

package module
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2025 License: BSD-3-Clause Imports: 3 Imported by: 0

README

gokrazy rsync

tests Sourcegraph

This repository contains a native Go rsync implementation: the gokr-rsync command implements an rsync client and server, which can send or receive files (all directions supported). Daemon mode is supported, meaning you can deploy gokr-rsync behind SSH (anonymous or authorized), as command or daemon, or listening directly on the network (on port 873/tcp by default).

The following known improvements are not yet implemented:

  • Making gokr-rsync chroot (and/or Linux mount namespaces when available?) into the destination directory to reduce chances of accidental file system manipulation in case of bugs.

This project accepts contributions as time permits to merge them (best effort).

How do I know this project won’t eat my data?

This rsync implementation is very fresh. It was started in 2021 and doesn’t have many users yet.

With that warning out of the way, the rsync protocol uses MD4 checksums over file contents, so at least your file contents should never be able to be corrupted.

There is enough other functionality (delta transfers, file metadata, special files like symlinks or devices, directory structures, etc.) in the rsync protocol that provides opportunities for bugs to hide.

I recommend you carefully check that your transfers work, and please do report any issues you run into!

Existing rsync implementation survey

Language URL Note Max Protocol Server mode?
C RsyncProject/rsync (formerly WayneD/rsync) original “tridge” implementation; I found older versions easier to study 31 ✔ yes
C kristapsdz/openrsync OpenBSD, good docs 27 ✔ yes
Go gokrazy/rsync → you are here ← 27 ✔ yes 🎉
Go jbreiding/rsync-go rsync algorithm ❌ no
Go kaiakz/rsync-os only client/receiver 27 ❌ no
Go knight42 proxy ❌ no
Go c4milo/gsync ❌ no
Java APNIC-net/repositoryd archived ✔ yes
Java JohannesBuchner/Jarsync archived, internet draft RFC “The rsync Network Protocol” ✔ yes
Java perlundq/yajsync ✔ yes
C++ gilbertchen/acrosync-library commercial ❌ no
Rust sourcefrog/rsyn client, “rsyn is rsync with no c” 27 ❌ no

Getting started

To serve the current directory via rsync on localhost:8730, use:

go install github.com/gokrazy/rsync/cmd/gokr-rsync@latest
gokr-rsync --daemon --gokr.listen=localhost:8730 --gokr.modulemap=pwd=$PWD

You can then copy the contents of the current directory with clients such as rsync(1):

% rsync -v --archive --port 8730 rsync://localhost/pwd/ quine
receiving file list ... done
created directory quine
./
.git/
[…]
.github/workflows/main.yml
LICENSE
Makefile
README.md
cmd/gokr-rsyncd/rsyncd.go
doc.go
go.mod
go.sum
internal/rsyncd/connection.go
internal/rsyncd/rsyncd.go
interop_test.go

sent 1,234 bytes  received 5,678 bytes  13,824.00 bytes/sec
total size is 666  speedup is 0.10

…or openrsync(1), shown doing a differential update:

% openrsync -v --archive --port 8730 rsync://localhost/pwd/ quine
socket.c:109: warning: connect refused: ::1, localhost
Transfer starting: 369 files
.git/index (1.1 KB, 100.0% downloaded)
Transfer complete: 5.5 KB sent, 1.2 KB read, 666 B file size

Usage / Setup

setup encrypted authenticated private files? privileges protocol version config required
1. rsync daemon protocol (TCP port 873) ❌ no ⚠ rsync (insecure) ❌ only world-readable ✔ dropped + namespace ✔ negotiated config required
2. anon SSH (daemon) ✔ yes ✔ rsync ❌ only world-readable ✔ dropped + namespace ✔ negotiated config required
3. SSH (command) ✔ yes ✔ SSH ✔ yes ⚠ full user ⚠ assumed no config
4. SSH (daemon) ✔ yes ✔ SSH (+ rsync) ✔ yes ⚠ full user ✔ negotiated ~/.config/gokr-rsyncd.toml required

Regarding protocol version “assumed”: the flags to send over the network are computed before starting SSH and hence the remote rsync process. You might need to specify --protocol=27 explicitly on the client. Once the connection is established, both sides do negotiate the protocol, though.

Setup 1: rsync daemon protocol (TCP port 873)

Serving rsync daemon protocol on TCP port 873 is only safe where the network layer ensures trusted communication, e.g. in a local network (LAN), or when using Tailscale or similar. In untrusted networks, attackers can eavesdrop on file transfers and possibly even modify file contents.

Prefer setup 2 instead.

Example:

  • Server: gokr-rsync --daemon --gokr.modulemap=module=/srv/rsync-module
  • Client: rsync rsync://webserver/module/path
Setup 2: anon SSH (daemon)

This setup is well suited for serving world-readable files without authentication.

Example:

  • Server: gokr-rsync --daemon --gokr.modulemap=module=/srv/rsync-module --gokr.anonssh_listen=:22873
  • Client: rsync -e ssh rsync://webserver/module/path
Setup 3: SSH (command)

This setup is well suited for interactive one-off transfers or regular backups, and uses SSH for both encryption and authentication.

Note that because gokr-rsync is invoked with user privileges (not root privileges), it cannot do namespacing and hence retains more privileges. When serving public data, it is generally preferable to use setup 2 instead.

Note that rsync(1) assumes the server process understands all flags that it sends, i.e. is running the same version on client and server, or at least a compatible-enough version. You can either specify --protocol=27 on the client, or use setup 4, which negotiates the protocol version, side-stepping possible compatibility gaps between rsync clients and gokr-rsync.

Example:

  • Server will be started via SSH
  • Client: rsync --rsync-path=gokr-rsync webserver:path
Setup 4: SSH (daemon)

This setup is more reliable than setup 3 because the rsync protocol version will be negotiated between client and server. This setup is slightly inconvenient because it requires a config file to be present on the server in ~/.config/gokr-rsyncd.toml.

Note that this mode of operation is only implemented by the original “trigde” rsync, not in openrsync. Apple started shipping openrsync with macOS 15 Sequoia, so you might need to explicitly start /usr/libexec/rsync/rsync.samba on Macs.

Example:

  • Server will be started via SSH
  • Client: rsync -e ssh --rsync-path=gokr-rsync rsync://webserver/module/path

Limitations

Bandwidth

In my tests, gokr-rsync can easily transfer data at > 6 Gbit/s. The current bottleneck is the MD4 algorithm itself (not sure whether in the “tridge” rsync client, or in gokr-rsync). Implementing support for more recent protocol versions would help here, as these include hash algorithm negotiation with more recent choices.

  • xattrs (including acls) was introduced in rsync protocol 30, so is currently not supported.

Supported environments and privilege dropping

Supported environments:

  1. systemd (Linux)
  2. Docker (Linux)
  3. privileged Linux
  4. privileged non-Linux

In all environments, the default instructions will take care that:

  • (On Linux only) Only configured rsync modules from the host file system are mounted read-only into a Linux mount namespace for gokr-rsync, to guard against data modification and data exfiltration.
  • gokr-rsync is running without privileges, as user nobody, to limit the scope of what an attacker can do when exploiting a vulnerability.

Known gaps:

  • gokr-rsync does not guard against denial of service attacks, i.e. consuming too many resources (connections, bandwidth, CPU, …).
systemd (unprivileged)

We provide a gokr-rsyncd.socket and gokr-rsyncd.service file for systemd. These files enables most of systemd’s security features. You can check by running systemd-analyze security gokr-rsyncd.service, which should result in an exposure level of “0.2 SAFE” as of systemd 249 (September 2021).

First, configure your server flags by creating a systemd service override file:

systemctl edit gokr-rsyncd.service

In the opened editor, change the file to:

[Service]
ExecStart=
ExecStart=/usr/bin/gokr-rsync --daemon --gokr.modulemap=pwd=/etc/tmpfiles.d

Close the editor and install the service using:

systemctl enable --now gokr-rsyncd.socket

Additional hardening recommendations:

Docker (unprivileged)

We provide a Dockerfile for gokr-rsyncd.

docker run \
  --read-only \
  -p 127.0.0.1:8730:8730 \
  -v /etc/tmpfiles.d:/srv/rsync:ro \
  stapelberg/gokrazy-rsync:latest \
    --gokr.modulemap=pwd=/srv/rsync

Additional hardening recommendations:

privileged Linux (including gokrazy.org)

When started as root on Linux, gokr-rsync will create a Linux mount namespace, mount all configured rsync modules read-only into the namespace, then change into the namespace using chroot(2) and drop privileges using setuid(2).

Tip: you can verify which file system objects the daemon process can see by using ls -l /proc/$(pidof gokr-rsync)/root/.

Additional hardening recommendations:

privileged non-Linux (e.g. Mac)

When started as root on non-Linux (e.g. Mac), gokr-rsync will drop privileges using setuid(2).

unprivileged with write permission (e.g. from a shell)

To prevent accidental misconfiguration, gokr-rsync refuses to start when it detects that it has write permission in any configured rsync module.

Documentation

Overview

Package rsync contains a native Go rsync implementation.

The only component currently is gokr-rsyncd, a read-only rsync daemon sender-only Go implementation of rsyncd. rsync daemon is a custom (un-standardized) network protocol, running on port 873 by default.

Index

Constants

View Source 
const (
	XMIT_TOP_DIR             = (1 << 0)
	XMIT_SAME_MODE           = (1 << 1)
	XMIT_EXTENDED_FLAGS      = (1 << 2)
	XMIT_SAME_RDEV_pre28     = XMIT_EXTENDED_FLAGS /* Only in protocols < 28 */
	XMIT_SAME_UID            = (1 << 3)
	XMIT_SAME_GID            = (1 << 4)
	XMIT_SAME_NAME           = (1 << 5)
	XMIT_LONG_NAME           = (1 << 6)
	XMIT_SAME_TIME           = (1 << 7)
	XMIT_SAME_RDEV_MAJOR     = (1 << 8)
	XMIT_HAS_IDEV_DATA       = (1 << 9)
	XMIT_SAME_DEV            = (1 << 10)
	XMIT_RDEV_MINOR_IS_SMALL = (1 << 11)
)

rsync.h

View Source 
const (
	S_IFMT   = 0o0170000 // bits determining the file type
	S_IFDIR  = 0o0040000 // Directory
	S_IFCHR  = 0o0020000 // Character device
	S_IFBLK  = 0o0060000 // Block device
	S_IFREG  = 0o0100000 // Regular file
	S_IFIFO  = 0o0010000 // FIFO
	S_IFLNK  = 0o0120000 // Symbolic link
	S_IFSOCK = 0o0140000 // Socket
)

as per /usr/include/bits/stat.h:

View Source 
const ProtocolVersion = 27

ProtocolVersion defines the currently implemented rsync protocol version. Protocol version 27 seems to be the safest bet for wide compatibility: version 27 was introduced by rsync 2.6.0 (released 2004), and is supported by openrsync and rsyn.

Variables

This section is empty.

Functions

This section is empty.

Types

type Logger 

type Logger = log.Logger

Logger is an interface that allows specifying your own logger. By default, the Go log package is used, which prints to stderr.

type SumBuf 

type SumBuf struct {
	Offset int64
	Len    int64
	Index  int32
	Sum1   uint32
	Sum2   [16]byte
}

rsync/rsync.h:struct sum_buf

type SumHead 

type SumHead struct {
	// “number of blocks” (openrsync)
	// “how many chunks” (rsync)
	ChecksumCount int32

	// “block length in the file” (openrsync)
	// maximum (1 << 29) for older rsync, (1 << 17) for newer
	BlockLength int32

	// “long checksum length” (openrsync)
	ChecksumLength int32

	// “terminal (remainder) block length” (openrsync)
	// RemainderLength is flength % BlockLength
	RemainderLength int32

	Sums []SumBuf
}

TODO: remove connection.go:sumHead in favor of this type

func (*SumHead) ReadFrom 

func (sh *SumHead) ReadFrom(c *rsyncwire.Conn) error

func (*SumHead) WriteTo 

func (sh *SumHead) WriteTo(c *rsyncwire.Conn) error

Source Files

View all Source files

Directories

Path Synopsis
cmd
gokr-rsync
Tool gokr-rsync is an rsync Go implementation.
 Tool gokr-rsync is an rsync Go implementation.
gokr-rsyncd
Tool gokr-rsyncd is an old name for gokr-rsync.
 Tool gokr-rsyncd is an old name for gokr-rsync.
internal
anonssh
log
Package log defines the logger interface used in rsync library.
 Package log defines the logger interface used in rsync library.
maincmd
Package maincmd implements a subset of the '$ rsync' CLI surface, namely that it can:
 Package maincmd implements a subset of the '$ rsync' CLI surface, namely that it can:
nofollow
receiver
rsyncchecksum
rsynccommon
Package rsynccommon contains functionality that both the sender and the receiver implementation need.
 Package rsynccommon contains functionality that both the sender and the receiver implementation need.
rsyncdconfig
rsyncopts
Package rsyncopts implements a parser for command-line options that implements a subset of popt(3) semantics; just enough to parse typical rsync(1) invocations without the advanced popt features like aliases or option prefix matching (not --del, only --delete).
 Package rsyncopts implements a parser for command-line options that implements a subset of popt(3) semantics; just enough to parse typical rsync(1) invocations without the advanced popt features like aliases or option prefix matching (not --del, only --delete).
rsyncstats
rsynctest
rsyncwire
sender
version

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.