need help with an rsync patch
Sherin A
sherinmon at gmail.com
Thu Aug 29 23:02:45 MDT 2013
On Thursday 29 August 2013 11:46 PM, Wayne Davison wrote:
> On Tue, Aug 27, 2013 at 8:03 PM, Sherin A <sherinmon at gmail.com
> <mailto:sherinmon at gmail.com>> wrote:
>
> Hope they will report it as a vulnerability , because this POC
> has been exploited successfully and it is affected by all
> software that use rsync as a backup and restore tool.
>
>
> This is totally false. The vulnerability is your insecure use of
> chown, so you are shooting yourself in the foot. You could accomplish
> the same bad sequence of copying/restoring using any backup tool.
>
> If you want to use a non-root backup store, just use --fake-super on
> the remote side, as previously mentioned (and ensure that xattrs are
> enabled there).
>
> ..wayne..
So you are saying the chown is insecure . So as per your suggestion , I
need to read each and every file of the user and do the chown of only
required files ? Well I think it may take a little more time to check
one million files of a user :( . Fake user won't work in push backups.
--
--------------------------------------
Regards
Sherin A
http://www.sherin.co.in/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20130830/bd47d21e/attachment.html>
More information about the rsync
mailing list