- Document preferred method for socket use depending on use case; - Fix Github web-flow key; - Standardize naming of services; - Use sys-ssh in ansible formula; - Start services conditionally with Qubes Service and evaluated by systemd ConditionPathExists= instead of installing on a per qube basis with rc.local scripts; - Change Qusal services to "qusal-" prefix instead of "qubes-" prefix. Fixes: https://github.com/ben-grande/qusal/issues/80 Fixes: https://github.com/ben-grande/qusal/issues/79
3.0 KiB
sys-rsync
Rsync over Qrexec in Qubes OS.
Table of Contents
Description
Creates a Rsync server qube named "sys-rsync" to be a central document
store to which other qubes have access. This is a simple tool that allows
individual qubes read/write access to the store using Rsync, rather than using
qvm-copy
or qvm-move
.
The greatest problem with SSH is that with large file system, it can freeze or be very slow to navigate the directories (not so much with Qrexec as the connection does not go over the network) and chroots need to be configured by the user.
Installation
- Top:
sudo qubesctl top.enable sys-rsync
sudo qubesctl --targets=tpl-sys-rsync,sys-rsync state.apply
sudo qubesctl top.disable sys-rsync
- State:
sudo qubesctl state.apply sys-rsync.create
sudo qubesctl --skip-dom0 --targets=tpl-sys-rsync state.apply sys-rsync.install
sudo qubesctl --skip-dom0 --targets=sys-rsync state.apply sys-rsync.configure
Install on the client template:
sudo qubesctl --skip-dom0 --targets=TEMPLATE state.apply sys-rsync.install-client
The client qube requires the Rsync forwarder service to be enabled:
qvm-features QUBE service.rsync-client 1
Access Control
A qusal.Rsync
service is created to allow use of Rsync over Qrexec. The
default policy asks
if you want to connect with the sys-rsync
qube.
If you want to allow
Rsync between qubes, insert in you user policy file
/etc/qubes/policy.d/30-user.policy
to allow the service using the following
format:
qusal.Rsync * SOURCE @default allow target=TARGET
When the client can change the data on the server, it can also possibly compromise the server or at least make it hold malicious files and propagate the malicious data with client it is connected to.
Usage
Server
The default setting is to have a read/write store at /home/user/shared
,
and a read-only directory at /home/user/archive
. All the usual Rsync
configuration options are available and you can create other shared
directories at will. Additional configuration can be made by editing .conf
files in /usr/local/etc/rsync.d/*.conf
. Because access appears to come from
localhost, host control directives will not work.
If you have more than one rsync server qube, you can use bind-dirs to change the available folders on each server qube.
Client
The Rsync connection is available with the socket localhost:1839
.
Rsync the server shared
read/write directory:
rsync --port=1839 localhost::shared /LOCAL/PATH/TO/RSYNC
Rsync the server archive
read-only directory:
rsync --port=1839 localhost::archive /LOCAL/PATH/TO/RSYNC