[SCM] The rsync repository. - branch master updated

Rsync CVS commit messages rsync-cvs at lists.samba.org
Fri Sep 9 17:49:26 UTC 2022

The branch, master has been updated
       via  5447d038 Mention a potential bash security issue with openssh forced commands.
      from  71177363 A few more minor tweaks.


- Log -----------------------------------------------------------------
commit 5447d038c66dbe8de0cd5db1bc1e60d111bc9880
Author: Wayne Davison <wayne at opencoder.net>
Date:   Fri Sep 9 10:47:09 2022 -0700

    Mention a potential bash security issue with openssh forced commands.


Summary of changes:
 support/rrsync.1.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

Changeset truncated at 500 lines:

diff --git a/support/rrsync.1.md b/support/rrsync.1.md
index a7365323..98f2cab0 100644
--- a/support/rrsync.1.md
+++ b/support/rrsync.1.md
@@ -22,6 +22,10 @@ transfer in one of two easy ways:
 * forcing the running of the rrsync script
 * forcing the running of an rsync daemon-over-ssh command.
+Both of these setups use a feature of ssh that allows a command to be forced to
+run instead of an interactive shell.  However, if the user's home shell is bash,
+please see [BASH SECURITY ISSUE](#) for a potential issue.
 To use the rrsync script, edit the user's `~/.ssh/authorized_keys` file and add
 a prefix like one of the following (followed by a space) in front of each
 ssh-key line that should be restricted:
@@ -107,6 +111,26 @@ overrides.
 The script (or a copy of it) can be manually edited if you want it to customize
 the option handling.
+If your users have bash set as their home shell, bash may try to be overly
+helpful and ensure that the user's login bashrc files are run prior to
+executing the forced command.  This can be a problem if the user can somehow
+update their home bashrc files, perhaps via the restricted copy, a shared home
+directory, or something similar.
+One simple way to avoid the issue is to switch the user to a simpler shell,
+such as dash.  When choosing the new home shell, make sure that you're not
+choosing bash in disguise, as it is unclear if it avoids the security issue.
+Another potential fix is to ensure that the user's home directory is not a
+shared mount and that they have no means of copying files outside of their
+restricted directories.  This may require you to force the enabling of symlink
+munging on the server side.
+A future version of openssh may have a change to the handling of forced
+commands that allows it to avoid using the user's home shell.
 The `~/.ssh/authorized_keys` file might have lines in it like this:

The rsync repository.

More information about the rsync-cvs mailing list