Simplify the install of rsync-ssl by unifying 2 scripts.

Makefile.in

@@ -74,10 +74,8 @@ all: Makefile rsync$(EXEEXT) stunnel-rsyncd.conf man
 .PHONY: install
 install: all
 	-${MKDIR_P} ${DESTDIR}${bindir}
-	-${MKDIR_P} ${DESTDIR}${libdir}
 	${INSTALLCMD} ${INSTALL_STRIP} -m 755 rsync$(EXEEXT) ${DESTDIR}${bindir}
 	${INSTALLCMD} -m 755 rsync-ssl ${DESTDIR}${bindir}
-	${INSTALLCMD} -m 755 ssl-rsh ${DESTDIR}${libdir}
 	-${MKDIR_P} ${DESTDIR}${mandir}/man1
 	-${MKDIR_P} ${DESTDIR}${mandir}/man5
 	if test -f rsync.1; then ${INSTALLMAN} -m 644 rsync.1 ${DESTDIR}${mandir}/man1; fi

NEWS.md

@@ -88,12 +88,13 @@ Protocol: 31 (unchanged)
 
  - Added the `--write-devices` option based on the long-standing patch.
 
- - Added openssl support to the rsync-ssl script via a (lib installed) helper
-   script, ssl-rsh.  Both bash scripts are now installed by default, removing
-   the install-ssl-client make target.  Rsync was also enhanced to set the
-   `RSYNC_PORT` environment variable when running a daemon-over-rsh script. Its
-   value is the user-specified port number (set via `--port` or an rsync://
-   URL) or 0 if the user didn't override the port.
+ - Added openssl support to the rsync-ssl script, which is now installed by
+   default.  This script was unified with the stunnel-rsync helper script to
+   simplify packaging.
+
+ - Rsync was enhanced to set the `RSYNC_PORT` environment variable when running
+   a daemon-over-rsh script. Its value is the user-specified port number (set
+   via `--port` or an rsync:// URL) or 0 if the user didn't override the port.
 
  - Added the `haproxy header` daemon parameter that allows your rsyncd to know
    the real remote IP when it is being proxied.

packaging/lsb/rsync.spec

@@ -70,7 +70,6 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) /etc/xinetd.d/rsync
 %{_prefix}/bin/rsync
 %{_prefix}/bin/rsync-ssl
-%{_prefix}/lib/rsync/ssl-rsh
 %{_mandir}/man1/rsync.1*
 %{_mandir}/man1/rsync-ssl.1*
 %{_mandir}/man5/rsyncd.conf.5*

prepare-source

@@ -31,13 +31,13 @@ for action in "${@}"; do
 	else
 	    files='[cap]*'
 	fi
-	rsync -ipe ./ssl-rsh rsync://download.samba.org/rsyncftp/generated-files/"$files" .
+	./rsync-ssl -ip rsync://download.samba.org/rsyncftp/generated-files/"$files" .
 	;;
     fetchgen)
-	rsync -ipe ./ssl-rsh rsync://download.samba.org/rsyncftp/generated-files/'*' .
+	./rsync-ssl -ip rsync://download.samba.org/rsyncftp/generated-files/'*' .
 	;;
     fetchSRC)
-	rsync -ipre ./ssl-rsh --exclude=/.git/ rsync://download.samba.org/ftp/pub/unpacked/rsync/ .
+	./rsync-ssl -ipr --exclude=/.git/ rsync://download.samba.org/ftp/pub/unpacked/rsync/ .
 	;;
     *)
 	echo "Unknown action: $action"

rsync-ssl

@@ -1,23 +1,167 @@
 #!/bin/bash
+
 # This script supports using stunnel or openssl to secure an rsync daemon connection.
-# The first option can be --type=stunnel or --type=openssl to choose your connection
-# type (overriding any $RSYNC_SSL_TYPE default value).
+
+# By default this script takes rsync args and hands them off to the actual
+# rsync command with an --rsh option that makes it open an SSL connection to an
+# rsync daemon.  See the rsync-ssl manpage for usage details and env variables.
+
+# When the first arg is --HELPER, we are being used by rsync as an --rsh helper
+# script, and the args are (note the trailing dot):
+#
+#    rsync-ssl --HELPER HOSTNAME rsync --server --daemon .
+#
+# --HELPER is not a user-facing option, so it is not documented in the manpage.
+
+# The first SSL setup was based on:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
+# Note that an stunnel connection requires at least version 4.x of stunnel.
+
+function rsync_ssl_run {
+    case "$*" in
+    *rsync://*) ;;
+    *::*) ;;
+    *)
+	echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
+	exit 1
+	;;
+    esac
+
+    exec rsync --rsh="$0 --HELPER" "${@}"
+}
+
+function rsync_ssl_helper {
+    if [[ -z "$RSYNC_SSL_TYPE" ]]; then
+	found=`path_search stunnel4 stunnel openssl` || exit 1
+	if [[ "$found" == */openssl ]]; then
+	    RSYNC_SSL_TYPE=openssl
+	    RSYNC_SSL_OPENSSL="$found"
+	else
+	    RSYNC_SSL_TYPE=stunnel
+	    RSYNC_SSL_STUNNEL="$found"
+	fi
+    fi
+
+    case "$RSYNC_SSL_TYPE" in
+	openssl)
+	    if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
+		RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
+	    fi
+	    optsep=' '
+	    ;;
+	stunnel)
+	    if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
+		RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
+	    fi
+	    optsep=' = '
+	    ;;
+	*)
+	    echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
+	    exit 1
+	    ;;
+    esac
+
+    if [[ -z "$RSYNC_SSL_CERT" ]]; then
+	certopt=""
+    else
+	certopt="cert$optsep$RSYNC_SSL_CERT"
+    fi
+
+    if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
+	# RSYNC_SSL_CA_CERT unset - default CA set AND verify:
+	# openssl:
+	caopt="-verify_return_error -verify 4"
+	# stunnel:
+	cafile=""
+	verify=0
+    elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
+	# RSYNC_SSL_CA_CERT set but empty -do NO verifications:
+	# openssl:
+	caopt="-verify 1"
+	# stunnel:
+	cafile=""
+	verify=0
+    else
+	# RSYNC_SSL_CA_CERT set - use CA AND verify:
+	# openssl:
+	caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+	# stunnel:
+	cafile="CAfile = $RSYNC_SSL_CA_CERT"
+	verify=3
+    fi
+
+    port="${RSYNC_PORT:-0}"
+    if [[ "$port" == 0 ]]; then
+	port="${RSYNC_SSL_PORT:-874}"
+    fi
+
+    # If the user specified USER@HOSTNAME::module, then rsync passes us
+    # the -l USER option too, so we must be prepared to ignore it.
+    if [[ "$1" == "-l" ]]; then
+	shift 2
+    fi
+
+    hostname="$1"
+    shift
+
+    if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
+	echo "Usage: rsync-ssl --HELPER HOSTNAME rsync --server --daemon ." 1>&2
+	exit 1
+    fi
+
+    if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+    else
+	# devzero@web.de came up with this no-tmpfile calling syntax:
+	exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
+foreground = yes
+debug = crit
+connect = $hostname:$port
+client = yes
+TIMEOUTclose = 0
+verify = $verify
+$certopt
+$cafile
+EOF
+    fi
+}
+
+function path_search {
+    IFS_SAVE="$IFS"
+    IFS=:
+    for prog in "${@}"; do
+	for dir in $PATH; do
+	    [[ -z "$dir" ]] && dir=.
+	    if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
+		echo "$dir/$prog"
+		IFS="$IFS_SAVE"
+		return 0
+	    fi
+	done
+    done
+
+    IFS="$IFS_SAVE"
+    echo "Failed to find on your path: $*" 1>&2
+    echo "See the rsync-ssl manpage for configuration assistance." 1>&2
+    return 1
+}
+
+if [[ "$#" == 0 ]]; then
+    echo "Usage: rsync-ssl [--type=openssl|stunnel] RSYNC_OPTION [...]" 1>&2
+    exit 1
+fi
+
+if [[ "$1" = --help || "$1" = -h ]]; then
+    exec rsync --help
+fi
+
+if [[ "$1" == --HELPER ]]; then
+    shift
+    rsync_ssl_helper "${@}"
+fi
 
 if [[ "$1" == --type=* ]]; then
     export RSYNC_SSL_TYPE="${1/--type=/}"
     shift
 fi
 
-case "$@" in
-*rsync://*) ;;
-*::*) ;;
-*)
-    echo "You must use rsync-ssl with a daemon-style hostname." 1>&2
-    exit 1
-    ;;
-esac
-
-mydir="${0%/*}"
-libdir="$mydir/../lib/rsync"
-
-exec "$mydir/rsync" --rsh="$libdir/ssl-rsh" "${@}"
+rsync_ssl_run "${@}"

rsync-ssl.1.md

@@ -26,9 +26,6 @@ All the other options are passed through to the rsync command, so consult the
 Note that the stunnel connection type requires at least version 4 of stunnel,
 which should be the case on modern systems.
 
-This script requires that a helper script named **ssl-rsh** be installed the
-@LIBDIR@ dir so that rsync can use it as its remote-shell command.
-
 # ENVIRONMENT VARIABLES
 
 The ssl helper scripts are affected by the following environment variables:
@@ -58,10 +55,6 @@ The ssl helper scripts are affected by the following environment variables:
 
 >     rsync-ssl --type=openssl -aiv example.com::src/ dest
 
-# FILES
-
-@LIBDIR@/ssl-rsh
-
 # SEE ALSO
 
 **rsync**(1), **rsyncd.conf**(5)

ssl-rsh

@@ -1,127 +0,0 @@
-#!/bin/bash
-# This must be called as (note the trailing dot):
-#
-#    ssl-rsh HOSTNAME rsync --server --daemon .
-#
-# ... which is typically done via the rsync-ssl script, which results in something like this:
-#
-#    rsync --rsh=/usr/lib/rsync/ssl-rsh -aiv HOSTNAME::module [ARGS]
-#
-# This SSL setup based on the files by:  http://dozzie.jarowit.net/trac/wiki/RsyncSSL
-# Note that an stunnel connection requires at least version 4.x of stunnel.
-
-# The environment can override our defaults using RSYNC_SSL_* variables. See `man rsync-ssl`.
-
-function path_search {
-    IFS_SAVE="$IFS"
-    IFS=:
-    for prog in "${@}"; do
-	for dir in $PATH; do
-	    [[ -z "$dir" ]] && dir=.
-	    if [[ -f "$dir/$prog" && -x "$dir/$prog" ]]; then
-		echo "$dir/$prog"
-		IFS="$IFS_SAVE"
-		return 0
-	    fi
-	done
-    done
-
-    IFS="$IFS_SAVE"
-    echo "Failed to find on your path: $*" 1>&2
-    echo "See the rsync-ssl manpage for configuration assistance." 1>&2
-    return 1
-}
-
-if [[ -z "$RSYNC_SSL_TYPE" ]]; then
-    found=`path_search stunnel4 stunnel openssl` || exit 1
-    if [[ "$found" == */openssl ]]; then
-	RSYNC_SSL_TYPE=openssl
-	RSYNC_SSL_OPENSSL="$found"
-    else
-	RSYNC_SSL_TYPE=stunnel
-	RSYNC_SSL_STUNNEL="$found"
-    fi
-fi
-
-case "$RSYNC_SSL_TYPE" in
-    openssl)
-	if [[ -z "$RSYNC_SSL_OPENSSL" ]]; then
-	    RSYNC_SSL_OPENSSL=`path_search openssl` || exit 1
-	fi
-	optsep=' '
-	;;
-    stunnel)
-	if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
-	    RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
-	fi
-	optsep=' = '
-	;;
-    *)
-	echo "The RSYNC_SSL_TYPE specifies an unknown type: $RSYNC_SSL_TYPE" 1>&2
-	exit 1
-	;;
-esac
-
-if [[ -z "$RSYNC_SSL_CERT" ]]; then
-    certopt=""
-else
-    certopt="cert$optsep$RSYNC_SSL_CERT"
-fi
-
-if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
-    # RSYNC_SSL_CA_CERT unset - default CA set AND verify:
-    # openssl:
-    caopt="-verify_return_error -verify 4"
-    # stunnel:
-    cafile=""
-    verify=0
-elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
-    # RSYNC_SSL_CA_CERT set but empty -do NO verifications:
-    # openssl:
-    caopt="-verify 1"
-    # stunnel:
-    cafile=""
-    verify=0
-else
-    # RSYNC_SSL_CA_CERT set - use CA AND verify:
-    # openssl:
-    caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
-    # stunnel:
-    cafile="CAfile = $RSYNC_SSL_CA_CERT"
-    verify=3
-fi
-
-port="${RSYNC_PORT:-0}"
-if [[ "$port" == 0 ]]; then
-    port="${RSYNC_SSL_PORT:-874}"
-fi
-
-# If the user specified USER@HOSTNAME::module, then rsync passes us
-# the -l USER option too, so we must be prepared to ignore it.
-if [[ "$1" == "-l" ]]; then
-    shift 2
-fi
-
-hostname="$1"
-shift
-
-if [[ -z "$hostname" || "$1" != rsync || "$2" != --server || "$3" != --daemon ]]; then
-    echo "Usage: ssl-rsh HOSTNAME rsync --server --daemon ." 1>&2
-    exit 1
-fi
-
-if [[ $RSYNC_SSL_TYPE == openssl ]]; then
-    exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
-else
-    # devzero@web.de came up with this no-tmpfile calling syntax:
-    exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
-foreground = yes
-debug = crit
-connect = $hostname:$port
-client = yes
-TIMEOUTclose = 0
-verify = $verify
-$certopt
-$cafile
-EOF
-fi