Rsync-daemon security advisories for writable daemons

Wayne Davison wayned at samba.org
Tue Nov 27 22:01:27 GMT 2007


There are two security advisories for people who run a writable rsync
daemon.  One affects only those with "use chroot = no" (which is not a
very safe combination in general), and one affects a daemon that has
daemon-excluded files that are being hidden in a module's hierarchy.
Included are simple config-change suggestions that should help you to
avoid the security issues.  These advisories affect all rsync versions.

Advisory #1:

If you are running a writable rsync daemon with "use chroot = no", there
is at least one way for someone to trick rsync into creating a symlink
that points outside of the module's hierarchy.

This means that if you are allowing access from users who you don't
trust, that you should either figure out a way to turn on "use chroot",
or configure the daemon to refuse the --links option (see "refuse
options" in the rsyncd.conf manpage) which will disable the ability of
the rsync module to receive symlinks.  After doing so, you should also
check that any existing symlinks in the daemon hierarchy are safe.

Starting with the 3.0.0-pre6 release, there will be a new daemon option
available: "munge symlinks".  This will allow an rsync daemon to accept
symlinks and return them intact (with even a leading slash still there,
which is new for a non-chroot daemon), but will not allow the symlinks
to be used while they are in the daemon's hierarchy.  For those running
2.6.9, there is a patch to enable this option:

    http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff

Any admin applying that patch should read the "munge symlinks" section
of the modified rsyncd.conf manpage for more information.  You can also
read about this option in the latest manpage from the dev version:

    http://rsync.samba.org/ftp/rsync/nightly/rsyncd.conf.html

Advisory #2:

If you are running a writable rsync daemon that is using one of the
"exclude", "exclude from", or "filter" options in the rsyncd.conf file
to hide data from your users, you should be aware that there are tricks
that a user can play with symlinks and/or certain options that can allow
a user that knows the name of a hidden file to access it or overwrite it
(if file permissions allow that).

You can avoid the symlink problem using the suggestions for Advisory #1.

You can avoid the problems with other options by putting the following
"refuse options" setting into your rsyncd.conf file:

   refuse options = --*-dest --partial-dir --backup-dir

An upcoming release of rsync 3.0.0 will hopefully fix the daemon-exclude
validation of these options to make this unnecessary, but this has not
yet been implemented.

If you combine the above refuse options with the prior suggestion to
refuse --links, that would give you this list of options (included here
for easier copy/pasting):

   refuse options = --links --*-dest --partial-dir --backup-dir

Finally, a big "thank you" to Matt McCutchen for his security work in
discovering and reporting these problems, suggesting avoidance options,
and helping me to test my munge-symlinks patch.

..wayne..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/rsync/attachments/20071127/c1d45c89/attachment.bin


More information about the rsync mailing list