Client can trick daemon into running server code with am_server == 0

Qi Yong qiyong at
Thu Feb 15 05:55:43 GMT 2007

Matt McCutchen wrote:

> Dear rsync people (particularly Wayne),
> I noticed that an rsync daemon counts on the client sending a --server
> option so that am_server gets set to 1.  If the client doesn't supply

This can only happen in the remote-shell situcation, not at any 
anonymous connections.
So I think it's safe imho.

> this option, am_server remains 0 but the daemon runs start_server
> anyway.  This is potentially dangerous and might lead to a security
> hole, although I haven't found one yet.  I suggest that the daemon
> either set am_server = 1 explicitly or drop the connection with an
> error if the client doesn't supply --server. 


Qi Yong

More information about the rsync mailing list