rsync over ssh - possible attack vectors
Matt McCutchen
matt at mattmccutchen.net
Fri Apr 16 08:30:04 MDT 2010
On Fri, 2010-04-16 at 02:16 +0200, George Sullivan wrote:
> user1 at localserver:$ rsync -rtcve ssh user1 at remoteserver:/.../ /local/.../
> But what I'm interested in is what happens if remoteserver
> is compromised?
> Could attacker X on
> remoteserver alter the rsync binary in such a way so it can traverse
> and change or read arbitrary files on localserver? Does running above
> command execute remote code or give remoteserver any kind of system
> access to localserver (does the ssh tunnel work both ways???)
> or is it "pumping" data through a dumb pipe just like for example rsync
> over a samba share would and leaving all control to local?
You are wise to ask this question!
The remote server can change arbitrary files on the local server by
sending a symlink and then using paths that go through the symlink. The
current development rsync has a --munge-links option to prevent that.
Unfortunately, that option is not available in the 3.0.x branch at this
time.
Aside from symlinks, the command is supposed to just pull data without
letting the remote server engage in any mischief on the local machine.
However, I don't know of anyone having done a thorough code review to
make sure that is the case. The codebase is large and complex,
especially with the addition of incremental recursion, and I would be
foolish to assert that there's no way to exploit it.
The safest approach would be to run the rsync client with reduced
privileges. If appropriate, you can use --fake-super to store
privileged attributes.
--
Matt
More information about the rsync
mailing list