DO NOT REPLY [Bug 6251] security: rsync executes remote commands

samba-bugs at samba-bugs at
Wed Apr 8 16:36:01 GMT 2009

wayned at changed:

           What    |Removed                     |Added
             Status|REOPENED                    |RESOLVED
         Resolution|                            |WONTFIX

------- Comment #4 from wayned at  2009-04-08 11:36 CST -------
If you don't trust your users, you need to setup something better on your part,
such as forcing the -s (--protect-args) option on all rsync commands that get
run on the client and using a different shell (or forced wrapper script) on the
remote hosts that ensures the safety of the command-line.  When doing an ssh
transfer, rsync assumes that you to know what you're doing.  It does not know
what shell is on the other side, so asking it to escape chars in an undefined
manner is not something that it can do portably (so if we build in bourne-shell
escaping, that could break the use of a more rare shell setup).

I recommend a safety script on the remote hosts to ensure that nothing tricky
is going on.  Rsync supplies a script named rrsync in the support directory
that handles safe globbing of filenames without allowing a shell to interpret
special characters (since it completely avoids the spawning of a shell).  If
you setup the ssh logins to force the command to go to the rrsync perl script,
it can both validate the command-line options and safely handle the file args
for you.

Rsync also supports daemon mode (including daemon over ssh) for being the most
safe and restrictive.

Because making ssh transfers safe takes setup outside of rsync, I am marking
this bug request as wontfix.

Configure bugmail:
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the rsync mailing list