DO NOT REPLY [Bug 5457] New: Add a client-side --munge-symlinks option

samba-bugs at samba-bugs at
Sat May 10 23:24:57 GMT 2008

           Summary: Add a client-side --munge-symlinks option
           Product: rsync
           Version: 3.0.3
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: core
        AssignedTo: wayned at
        ReportedBy: matt at
         QAContact: rsync-qa at

Just as we have worked hard recently to secure daemons from untrusted clients,
I think we should try to secure clients that pull data from untrusted daemons. 
One of the easiest ways a daemon could compromise a client is to send a symlink
to a sensitive area and a file under the symlink, e.g., "foo" -> "/home/matt"
and "foo/.ssh/authorized_keys".  This is essentially the same exploit that
necessitates symlink munging for not-purely-chroot daemon modules, just turned

I would like to be able to prevent this exploit while still storing some
representation of the daemon's symlinks in the destination.  A natural way to
support this would be to add a client-side option --munge-symlinks that munges
received symlinks and unmunges sent symlinks just like the daemon parameter. 
(Of course, the prefix "/rsyncd-munged/" isn't quite accurate for a client, but
let's use it anyway for compatibility.)  --munge-symlinks would also make it
possible to work around bug 4037 when the receiver is not a daemon.

Configure bugmail:
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the rsync mailing list