need help with an rsync patch

Sherin A sherinmon at gmail.com
Tue Aug 13 02:25:50 MDT 2013 

Hello Joe,

  Thanks for your reply . But  think about the real world users. There  
is not always necessary the /home will be  in separate disk partition or 
   /tmp , /var/tmp , /usr/tmp.  Think about an openvz vps or disk with 
everything  on / (most of the cloud servers) . Rsync is  using  in a lot 
of production servers as a better tool for file backups. As in the case 
of a hosting server , we can't always trust all hosting users in  a 
single server.  Also just ignore the shadow  and  let us say there are 
two user on /home/foo and /home/fun  and the user fun created a hardlink 
to /hom/foo/joomla/configuration.php  , which contains database 
information of user foo's joomla site .    May be  this user created   
this type hardlinks with all the folders and files inside /home . So 
simply reyuesting a restore  will revert  the files into his readable 
form and he can wipe out every thing.  Let me show you how a user can 
create a hard link ,
----------
dom2inho at dom2.inhouse.co.in [~/public_html]# id
uid=507(dom2inho) gid=508(dom2inho) groups=508(dom2inho)
dom2inho at dom2.inhouse.co.in [~/public_html]# ll /etc/shadow
--w------- 2 root root 1344 Aug 12 14:30 /etc/shadow
dom2inho at dom2.inhouse.co.in [~/public_html]# ln /etc/shadow ./shadow
dom2inho at dom2.inhouse.co.in [~/public_html]# ll shadow
--w------- 3 root root 1344 Aug 12 14:30 shadow
dom2inho at dom2.inhouse.co.in [~/public_html]#
--------

   The issue is  hardlinks can't create across files system , but with 
rsync we can copy  it to a remote folder  and change ownership.  If we  
restore it with rsync from that remove location to back to  his home , 
then it will be a regular file instead of his original hard link .
  So my humble request is , if rsync have an option to exclude hard 
link, it will be a good feature. may be something as follows,

--------------
include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <stdio.h>
#include <stdlib.h>

int
main(int argc, char *argv[])
{
     struct stat sb;

    if (argc != 2) {
         fprintf(stderr, "Usage: %s <pathname>\n", argv[0]);
         exit(EXIT_FAILURE);
     }

    if (stat(argv[1], &sb) == -1) {
         perror("stat");
         exit(EXIT_FAILURE);
     }

    printf("File type:                ");

    switch (sb.st_mode & S_IFMT) {
     case S_IFREG:  printf("regular file\n");
             if(sb.st_nlink >1){printf("This file is hardlink:   %s\n", 
argv[0] );}    // Detecting hard link only for files
         break;
     default:       printf("unknown?\n");                break;
     }

    exit(EXIT_SUCCESS);
}
------------------

Thanks for your reply Joe and  paul.


On Tuesday 13 August 2013 01:33 PM, Joe wrote:
> I'm going to give this one more shot and then wait for the experts to
> weigh in.
>
> I'll stick with your example of /etc/shadow, but this applies to any
> secured file on the system.
>
> On my system /etc/shadow is 640 (by default), so, as a normal user, I
> can't even see it (other than to see that it exists) to do anything with it.
>
> Probably any user who can see it to link to it could copy it too. Once
> copied, it could be decrypted at leisure.
> The point is to secure it to begin with, then any normal backup should
> not be an issue.
>
> Since my /home is on its own partition, I can't even attempt a hard link:
> bigbird at ramdass:~/sandbox$ ln /etc/shadow .
> ln: failed to create hard link `./shadow' => `/etc/shadow': Invalid
> cross-device link
>
> My /tmp is in the same partition as /etc, but
> bigbird at ramdass:~/sandbox$ ln /etc/shadow /tmp
> ln: failed to create hard link `/tmp/shadow' => `/etc/shadow': Operation
> not permitted
>
> As a regular user, my home directory is pretty much the only place I
> have write access to (aside from /tmp which works the same way for most
> practical purposes.)
>
> My simplistic understanding of the Linux file system is that each file
> consists of device storage which is mapped in a single inode (unless
> there is some fancy stuff to handle extremely large files). The inode
> number is then recorded in a file table entry somewhere - and that's
> essentially what a hard link is. If there are more than one hard links
> to the file (additional file table entries with the same inode number in
> them), then a counter in the inode (*not* in the file table entry, etc.)
> is incremented for each additional one.
>
> Each of these "files" or hard links is just a file table entry that
> points to the inode. No one of them is distinguished as the "original"
> one as opposed to one created subsequently. There's no useful way to
> tell them apart other than their differing positions in the file
> table/directory structure and the fact that they can have different names.
>
> The counter is in the inode so that it can be decremented as file table
> entries are deleted. If it gets to zero, then there is no file table
> entry pointing to that inode and the system can then release the device
> storage that was mapped/reserved in the inode so that it can be reused.
> This is one of the things fsck checks for when repairing damaged file
> tables.
>
> In short, 1) There is really no such thing as a file with more than one
> link to it. It's the inode and there's only one for each allocated set
> of device storage. 2) If a file is secure to start with, nobody without
> elevated security permissions should be able to access it insecurely,
> including linking to it or copying it.
>
> If someone you don't trust completely has access to elevated permissions
> on your system, then backup is the least of your problems.
>
> Joe
>
> On 08/13/2013 03:00 AM, Sherin A wrote:
>> On Tuesday 13 August 2013 12:23 PM, Joe wrote:
>>> Is there any way at all to say which is the original file and which is
>>> the hard link? I'll bet there isn't, although I' m not an internals guy
>>> at all. If so, this would be impossible to do. The inode is the
>>> "original", but all the file table entries to it are hard links (if
>>> they're not symlinks.)
>>>
>>> I guess the question is, what do you really want to accomplish?
>>>
>>> The fact that more than one hard link exists probably means it really
>>> does need to be backed up - or that the hard link shouldn't be there in
>>> the original file system.
>>>
>>> Joe
>>>
>>> On 08/13/2013 01:11 AM, Sherin A wrote:
>>>> Can  some one create a patch for excluding "hard link regular file"
>>>> from copying ?.   May be like a command flag , rsync
>>>> --no-hardlink-copy   ....
>>>>
>> Hello Jose,
>>
>>    I think it is possible to  check whether a  file is  regular file
>> or  having more than one links,  ( you can  check it with stat system
>> call )
>>
>>   The situation is we have an rsync command in a server which will copy
>> files of local users into a remote server / filesystem . Also have
>> ability  to restore it , it is simple backup. But if a user create  a
>> hard link to /etc/shadow from his home dir , and he request a restore
>> ,  then he can read the shadow files and decrypt it .
>>
>>   So if there is an option to avoid  hardlinks  during copy process ,
>> it is will add and extra security , it only need to add the following
>> check condition ,
>>
>>   1) Check the file that are going to copy is a regular file or having
>> more than 1 links
>>
>>   Also we have checked a lot of other thridparty software that use this
>> rsync too, which all have this race condition exploit running on .
>>
>> let me know if you need a POC
>>


-- 
--------------------------------------
Regards
Sherin A
http://www.sherin.co.in/

More information about the rsync mailing list