[Server-devel] [PATCH] Touch a ".transfer_complete" to mark completion, minor cleanups

[Michael Stone]

On Mon, Jun 16, 2008 at 06:20:02PM -0400, Martin Langhoff wrote:

> Note: this is a work in progress. 

Naturally. 

> Back to your question: we tack on a "transfer_complete" flag file in a
> 2nd rsync transmission that is conditional on the first one
> succeeding. A better solution is to wrap rsync at the XS end, and flag
> "completion" if the local rsync exits cleanly.

You could probably fix my objection by updating the protocol wiki page
to discuss this convention. Does the server only consider backups that
contain this completion flag? (More generally, how does the server
select which path it should return to the client?)

> Hmmm. Nothing prevents clients from just ssh'ing in and rsyncing to
> various nested directories to DoS our storage. 

Once you've given a login to someone then yes, they can do a lot of
damage. However, I consider that problem to be orthogonal to the problem
we were discussing, which was that of people who don't have logins doing
nasty things.

> Heck, without rssh they get shell, so they can eat up the partition
> with a quick dd if=/dev/zero of=bla

Quotas? Token-bucketed writes? There's lots of options.

> If you tell me that our threat scenario is more serious, we are in for
> a complete change of plans.

Is your threat scenario described anywhere?

Michael

P.S. - Another curious thought: world-writable files on my XO will
remain world-writable on the XS after being rsync'ed up and down, right?
Presumably that means we need to take some care with the permissions on
the directory we ask the client to store them in...