<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On Thursday 29 August 2013 11:46 PM,
Wayne Davison wrote:<br>
</div>
<blockquote
cite="mid:CAHSx_SukjYP3qegrYngAp5A0xfO1ikssg=72vqvkp=+xDX2edw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">On Tue, Aug 27, 2013 at 8:03 PM, Sherin
A <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sherinmon@gmail.com" target="_blank">sherinmon@gmail.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hope
they will report it as a vulnerability , because this POC
has been exploited successfully and it is affected by all
software that use rsync as a backup and restore tool.</blockquote>
</div>
<br>
This is totally false. The vulnerability is your insecure use
of chown, so you are shooting yourself in the foot. You could
accomplish the same bad sequence of copying/restoring using
any backup tool.</div>
<div class="gmail_extra">
<br>
</div>
<div class="gmail_extra">If you want to use a non-root backup
store, just use --fake-super on the remote side, as previously
mentioned (and ensure that xattrs are enabled there).<br>
<br clear="all">
<div>..wayne..</div>
</div>
</div>
</blockquote>
So you are saying the chown is insecure . So as per your suggestion
, I need to read each and every file of the user and do the chown of
only required files ? Well I think it may take a little more time
to check one million files of a user :( . Fake user won't work in
push backups.<br>
<br>
<pre class="moz-signature" cols="72">--
--------------------------------------
Regards
Sherin A
<a class="moz-txt-link-freetext" href="http://www.sherin.co.in/">http://www.sherin.co.in/</a>
</pre>
</body>
</html>