DO NOT REPLY [Bug 1890] TLS for rsync protocol
samba-bugs at samba.org
samba-bugs at samba.org
Sun Aug 9 04:33:37 MDT 2009
https://bugzilla.samba.org/show_bug.cgi?id=1890
------- Comment #9 from devzero at web.de 2009-08-09 05:33 CST -------
> It's easy to tell an ssh server to restrict what commands can be run.
is that really secure? i think, no.
found this one on the scponly pages:
SECURITY PROBLEM 2, reported by Pekka Pessi
If ANY the following conditions are true, administrators using scponly-4.1 or
older may be at risk of remote scponly users circumventing the restricted shell
and executing arbitrary programs. There is no privilege escalation and this
vulnerability is post-authentication.
* scp compatibility is enabled
* rsync compatibility is enabled
Exploit:
To exploit this vulnerability, a remote scponly user could:
* construct a malicious command line argument to either the rsync or scp.
Athough scponly does check for arguments that allow the user to specify a
program to run, it does not use getopt() style processing to locate these
potentially malicious arguments. For example, the potentially malicious scp
argument "-S program" would be detected but by combining it with the benevolent
"-v" (yielding "-vS program") would not.
Fix:
The new release of scponly-4.2 has:
* getopt to process the arguments to scp and rsync.
* no support rsync or scp by default. henceforth, the recommended means to
use scponly is via sftp
* other fixes and features
* fix for openbsd ldd in setup_chroot
* sftp-logging compatibility patch
* fix for autoconf AC_INIT macro
* patch for command line args to setup_chroot invocation
* patches to fix passw
here is some more interesting article which shows, that this is sorta hackerish
method:
http://www.oreillynet.com/linux/blog/2006/05/restricting_rsync_over_ssh.html
--
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the rsync
mailing list