DO NOT REPLY [Bug 6251] security: rsync executes remote commands

samba-bugs at samba-bugs at
Wed Apr 8 12:17:18 GMT 2009

mueller at changed:

           What    |Removed                     |Added
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

------- Comment #3 from mueller at  2009-04-08 07:17 CST -------
@Wayne: Yes it is a security problem. Scenario: The user is in an apache+php
process and needs to copy around arbitrarily named files he just uploaded on a
cluster. The cluster allows password free login every host to every other host,
which is perfectly safe as long as any commands executed are chosen by php.

At no point did we give the user permission to execute arbitrary commands! We
just allow him to copy a file named by him, that's a completely different
security level. However if that name contains certain characters, he can
escalate his privilege using rsync. Imagine he uploads a file named ';rm -rf

All other unix tools handle this case without problems if the file name is
escaped correctly, just rsync (and scp) have a problem. --protect-args does
solve the problem but not everyone knows about or remembers to use it. I see no
reason why dangerous characters can't ALWAYS be escaped before passing the args
to the shell for globbing. I'd escape everything but \w * ? [ ] { }

Configure bugmail:
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the rsync mailing list