need help with an rsync patch

Sherin A sherinmon at
Thu Aug 29 23:02:45 MDT 2013

On Thursday 29 August 2013 11:46 PM, Wayne Davison wrote:
> On Tue, Aug 27, 2013 at 8:03 PM, Sherin A <sherinmon at 
> <mailto:sherinmon at>> wrote:
>     Hope they will report it as a  vulnerability , because this POC
>     has been exploited successfully  and it is affected by all
>     software that  use rsync as a backup  and restore  tool.
> This is totally false.  The vulnerability is your insecure use of 
> chown, so you are shooting yourself in the foot. You could accomplish 
> the same bad sequence of copying/restoring using any backup tool.
> If you want to use a non-root backup store, just use --fake-super on 
> the remote side, as previously mentioned (and ensure that xattrs are 
> enabled there).
> ..wayne..
So you are saying the chown is insecure . So as per your suggestion , I 
need to read each and every file of the user and do the chown of only 
required files ? Well  I think it may take a little more time to check 
one million files of a user :( . Fake user won't work in push backups.

Sherin A

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rsync mailing list