In case anyone else is curious I will post my workaround using rexec -

- Create C wrapper that does a setuid:
#include <stdlib.h>

#define PROGNAME "/usr/bin/rsync"
#define USER "USER=USER"
#define HOME "HOME=USER/HOME/PATH"
#define IFS "IFS= \t\n"
int main(int argc, char *argv) {
putenv(USER);
putenv(IFS);
putenv(HOME);
setuid(geteuid());
execv(PROGNAME, argv);
return(0);
}

- chmod 4711 the wrapper
- use --rsh=rexec on rsync cmd line
- put machine/user/pass in HOME/.netrc (chmod 600)

When rexec is run by rsync it is setuid (rsh is setuid root so this
does not work). It reads the read-only .netrc in the HOME path and
sends the password through rexec. The obvious security hole here
(besides any setuid gotchas) is that the password is sent cleartext via
rexec. Oh well.. good enough for me!

Eric