rsync over ssh - possible attack vectors

Matt McCutchen matt at
Fri Apr 16 18:50:52 MDT 2010

On Sat, 2010-04-17 at 02:17 +0200, g. sullivan wrote:
> On 4/16/2010 4:30 PM, Matt McCutchen wrote:
> > On Fri, 2010-04-16 at 02:16 +0200, George Sullivan wrote:
> >> user1 at localserver:$ rsync -rtcve ssh user1 at remoteserver:/.../ /local/.../
> > The remote server can change arbitrary files on the local server by
> > sending a symlink and then using paths that go through the symlink.  The
> > current development rsync has a --munge-links option to prevent that.
> > Unfortunately, that option is not available in the 3.0.x branch at this
> > time.
> What about --safe-links? Since I'm not using -l or -a I thought rsync 
> ignores symlinks altogether.

You are right, I did not notice that you were not using -l.

>  > The codebase is large and complex,
>  > especially with the addition of incremental recursion, and I would be
>  > foolish to assert that there's no way to exploit it.
> Is using --no-inc-recursive a good idea then?

I wouldn't draw that conclusion.  Adding incremental recursion
complicated the codebase, but that doesn't mean the resulting
non-incremental-recursion code paths are any better than the
incremental-recursion ones.  Going back to earlier rsync versions is not
necessarily better either since the design may have been strengthened in
some ways in the newer versions.

It's really hard to judge the potential for an exploit.  Wayne might
have a better feeling.  But I would tend to just use the latest version
in the default configuration and hope for the best.


More information about the rsync mailing list