how to safely receive files from end-users via rsync

Question

I'd like to allow users of my web application to upload the contents of a directory via rsync. These are just users who've signed up online, so I don't want to create permanent unix accounts for them, and I want to ensure that whatever files they upload are stored on my server only under a directory specific to their account. Ideally, the flow would be something like this:

1. user says "I'd like to update my files with rsync" via authenticated web UI
2. server says "OK, please run: rsync /path/to/yourfiles uploaduser123abc@myserver:/"
3. client runs that, updating whatever files have changed onto the server
   • upload location is chrooted or something -- we want to ensure client only writes to files under a designated directory on the server
   • ideally, client doesn't need to enter a password - the 123abc in the username is enough of a secret token to keep this one rsync transaction secure, and after the transaction this token is destroyed - no more rsyncs until a new step 1 occurs.
4. server has an updated set of user's files.

If you've used Google AppEngine, the desired behavior is similar to its "update" command -- it sends only the changed files to appengine for hosting.

What's the best approach for implementing something like this? Would it be to create one-off users and then run an rsync daemon in a chroot jail under those accounts? Are there any libraries (preferably Python) or scripts that might do something like this?

Answer 1

You can run ssh jailrooted and rsync normally, just use PAM to authenticate against an "alternate" authdb.