restrict ssh access via rrsync

Dockerfile

@@ -1,6 +1,6 @@
 FROM alpine:3.8
 
-RUN apk add --no-cache rsync openssh-server
+RUN apk add --no-cache rsync rrsync openssh-server
 
 ENV SSHD_HOST_KEYS_DIR /etc/ssh/host_keys
 VOLUME $SSHD_HOST_KEYS_DIR

README.md

@@ -1,13 +1,17 @@
-# docker: rsync & openssh-server 🐳
+# docker: openssh-server restricted to rsync 🐳
 
 repo: https://github.com/fphammerle/docker-rsync-sshd
 
 docker hub: https://hub.docker.com/r/fphammerle/rsync-sshd
 
+SSH clients are restricted to `rsync --server` commands via [rrsync](https://download.samba.org/pub/unpacked/rsync/support/rrsync).
+
+rrsync prefixes `/data` to all paths (e.g., `rsync ... host:/src /backup` downloads `/data/src`).
+
 ## example 1
 
 ```sh
-$ docker run --name=rsync-sshd -p 2022:22 -e USERS=alice,bob fphammerle/rsync-sshd
+$ docker run --name=rsync-sshd -p 2022:22 -e USERS=alice,bob -v rsync-data:/data:ro fphammerle/rsync-sshd
 $ docker cp alice-keys rsync-sshd:/home/alice/.ssh/authorized_keys
 $ docker cp bob-keys rsync-sshd:/home/bob/.ssh/authorized_keys
 ```
@@ -17,6 +21,7 @@ $ docker cp bob-keys rsync-sshd:/home/bob/.ssh/authorized_keys
 ```
 $ docker run --name rsync-sshd \
     --publish 2022:22 --env USERS=alice,bob \
+    --volume accessible-data:/data:ro \
     --volume host-keys:/etc/ssh/host_keys \
     --volume alice-ssh-config:/home/alice/.ssh:ro \ 
     --volume bob-ssh-config:/home/bob/.ssh:ro \ 

rsnapshot.conf.example

@@ -29,5 +29,4 @@ ssh_args	-p 2022
 
 sync_first	1
 
-backup	alice@localhost:/home/alice		rsync-sshd-docker
-backup	alice@localhost:/etc		rsync-sshd-docker
+backup	alice@localhost:/		data-volume

sshd_config

@@ -15,6 +15,7 @@ StrictModes no
 # separated by spaces
 AllowUsers _
 
+ForceCommand /usr/bin/rrsync /data
 AllowAgentForwarding no
 AllowTcpForwarding no
 GatewayPorts no
@@ -22,5 +23,3 @@ X11Forwarding no
 PermitUserEnvironment no
 PermitTTY no
 PrintMotd no
-
-# TODO consider chroot