[Bug 8445] Add a non-trusted filter-file option that would limit the rules and ignore syntax errors

Mon Sep 12 04:45:13 MDT 2011

https://bugzilla.samba.org/show_bug.cgi?id=8445

--- Comment #2 from Ruediger Meier <sweet_f_a at gmx.de> 2011-09-12 10:45:12 UTC ---
Thx, for this detailed reply. After reading I think we have to 2 different
issues here.

(In reply to comment #1)
> (In reply to comment #0)
> > invalid modifier sequence at 't' in filter rule: -/tmp
> 
> You'll note that rule is missing a space, so it was a fitler-rule syntax error.

1. I'am sure the there was never a syntax error in .rsync-filer. Instead the
error occurred because the user added effectively a single character while
rsync was reading it. (The same reason why bash scripts show syntax errors when
editing them during execution).
So think it would be worth to improve rsync's way of reading the filter files
all about because rsync is suppossed to run for hours to sync directories while
they are used and it's able to handle vanished files etc.
I'd even wondered why rsync has read that particuar .rsync-filer again after
being 10 hours inside that directory already. 
I haven't watched the source code but I guess it would help simply to avoid
file operations like fseek on the filter files.

>  Rsync treats a failure to parse filter rules as something that it should
> complain about in a fatal error so that you get a chance to fix it.

2. So I this would put this on the wishlist:
 new option --ignore-broken-filters
 Behaves like in case of vanished files. Just print a warning but don't exit an
ignore the broken filter. When sync is finished exit 2; 

> So, it seems to me that the issue here is that you're trusting user-generated
> filter rules in a backup situation, which may not be a good idea

Because all our users have to do with very large amount of data I want them to
help me with the filter rules.

> (e.g. consider
> the inclusion of a filter-rule import that references a secret file in order to
> try to sniff its contents).

My users can only write the filter files into their own dirs. If they want to
backup their own secrets then this is not my problem.

> What you could do instead is to do a pre-copy
> restrictive parse of all the filter files in the backup hierarchy and turn them
> into a single set of global rules, dropping any syntax error lines and ignoring
> any rules that shouldn't be trusted

This would be possible and I even though about this to implement more
intelligent filters than simple in/exclude lists. But in practice
find /home -name ".rsync-filter"
takes about 1-2 hours here with high IO load on the file server and it would
slow down the whole backup process about 20-30%.

> Another option is to mark the rules in the filter files as only hide rules 

A good idea regarding the security points above but regarding point 1 it woud
be a fake. rsync would not exit with fatal error but would use a totally messed
up filter if user changed it during backup process.

cu,
Rudi

-- 
Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.