Client can trick daemon into running server code with am_server == 0

Qi Yong qiyong at fc-cn.com
Thu Feb 15 05:55:43 GMT 2007


Matt McCutchen wrote:

> Dear rsync people (particularly Wayne),
>
> I noticed that an rsync daemon counts on the client sending a --server
> option so that am_server gets set to 1.  If the client doesn't supply


This can only happen in the remote-shell situcation, not at any 
anonymous connections.
So I think it's safe imho.

> this option, am_server remains 0 but the daemon runs start_server
> anyway.  This is potentially dangerous and might lead to a security
> hole, although I haven't found one yet.  I suggest that the daemon
> either set am_server = 1 explicitly or drop the connection with an
> error if the client doesn't supply --server. 

-- 

Qi Yong



More information about the rsync mailing list