From: John Audia <therealgraysky@proton.me>
Date: Sun, 20 Jul 2025 15:54:49 +0000 (-0400)
Subject: rsync: run as regular user rather than as root
X-Git-Url: http://git.openwrt.org/%22https:/collectd.org//%22/%22https:/collectd.org/%22?a=commitdiff_plain;h=2a7364534eb67099e000655b267400a3c885c21b;p=feed%2Fpackages.git

rsync: run as regular user rather than as root

Rsyncd only needs a subset of all capabilities so create
a dedicated user with these capabilities. This is better from both a
security and an isolation perspective than running as root.

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc

Signed-off-by: John Audia <therealgraysky@proton.me>
---

diff --git a/net/rsync/Makefile b/net/rsync/Makefile
index 4fd7185f8b..ed5a9c832c 100644
--- a/net/rsync/Makefile
+++ b/net/rsync/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=rsync
 PKG_VERSION:=3.4.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src
@@ -67,6 +67,7 @@ define Package/rsyncd
   SUBMENU:=File Transfer
   TITLE:=Rsync daemon
   DEPENDS:=+rsync
+  USERID:=rsyncd=976:rsyncd=976
   URL:=https://rsync.samba.org/
 endef
 
@@ -108,6 +109,8 @@ define Package/rsyncd/install
 	$(INSTALL_DATA) ./files/rsyncd.conf $(1)/etc/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/rsyncd.init $(1)/etc/init.d/rsyncd
+	$(INSTALL_DIR) $(1)/etc/capabilities
+	$(INSTALL_DATA) ./files/rsyncd.json $(1)/etc/capabilities
 endef
 
 define Package/rrsync/description
diff --git a/net/rsync/files/rsyncd.init b/net/rsync/files/rsyncd.init
index d226d0f3fa..bbcd99db80 100644
--- a/net/rsync/files/rsyncd.init
+++ b/net/rsync/files/rsyncd.init
@@ -10,5 +10,12 @@ PROG=/usr/bin/rsync
 start_service() {
 	procd_open_instance
 	procd_set_param command "$PROG" --daemon --no-detach
+	[ -x /sbin/ujail -a -e /etc/capabilities/rsyncd.json ] && {
+		procd_add_jail rsyncd
+		procd_set_param capabilities /etc/capabilities/rsyncd.json
+		procd_set_param user rsyncd
+		procd_set_param group rsyncd
+		procd_set_param no_new_privs 1
+	}
 	procd_close_instance
 }
diff --git a/net/rsync/files/rsyncd.json b/net/rsync/files/rsyncd.json
new file mode 100644
index 0000000000..0f3f40f49b
--- /dev/null
+++ b/net/rsync/files/rsyncd.json
@@ -0,0 +1,37 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_SETUID",
+		"CAP_SETGID",
+		"CAP_DAC_OVERRIDE"
+	]
+}