DO NOT REPLY [Bug 5457] New: Add a client-side --munge-symlinks
option
samba-bugs at samba.org
samba-bugs at samba.org
Sat May 10 23:24:57 GMT 2008
https://bugzilla.samba.org/show_bug.cgi?id=5457
Summary: Add a client-side --munge-symlinks option
Product: rsync
Version: 3.0.3
Platform: Other
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P3
Component: core
AssignedTo: wayned at samba.org
ReportedBy: matt at mattmccutchen.net
QAContact: rsync-qa at samba.org
Just as we have worked hard recently to secure daemons from untrusted clients,
I think we should try to secure clients that pull data from untrusted daemons.
One of the easiest ways a daemon could compromise a client is to send a symlink
to a sensitive area and a file under the symlink, e.g., "foo" -> "/home/matt"
and "foo/.ssh/authorized_keys". This is essentially the same exploit that
necessitates symlink munging for not-purely-chroot daemon modules, just turned
around.
I would like to be able to prevent this exploit while still storing some
representation of the daemon's symlinks in the destination. A natural way to
support this would be to add a client-side option --munge-symlinks that munges
received symlinks and unmunges sent symlinks just like the daemon parameter.
(Of course, the prefix "/rsyncd-munged/" isn't quite accurate for a client, but
let's use it anyway for compatibility.) --munge-symlinks would also make it
possible to work around bug 4037 when the receiver is not a daemon.
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the rsync
mailing list