need help with an rsync patch
Kevin Korb
kmk at sanitarium.net
Thu Aug 29 23:48:57 MDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chown itself is not insecure. The indiscriminate chowning of all
files creates security issues.
You can use --fake-super on push backups. In fact that is what
- --fake-super is DESIGNED FOR. You just have to make sure that
- --fake-super is running on the correct end of the backup.
You are supposed to push backups from root at localhost to
notroot at somewhere-else. And you are supposed to do that with
- --rsync-path="/path/to/rsync --fake-super". If you just run "rsync
- --fake-super" it won't work right.
On 08/30/13 01:02, Sherin A wrote:
> On Thursday 29 August 2013 11:46 PM, Wayne Davison wrote:
>> On Tue, Aug 27, 2013 at 8:03 PM, Sherin A <sherinmon at gmail.com
>> <mailto:sherinmon at gmail.com>> wrote:
>>
>> Hope they will report it as a vulnerability , because this POC
>> has been exploited successfully and it is affected by all
>> software that use rsync as a backup and restore tool.
>>
>>
>> This is totally false. The vulnerability is your insecure use
>> of chown, so you are shooting yourself in the foot. You could
>> accomplish the same bad sequence of copying/restoring using any
>> backup tool.
>>
>> If you want to use a non-root backup store, just use --fake-super
>> on the remote side, as previously mentioned (and ensure that
>> xattrs are enabled there).
>>
>> ..wayne..
> So you are saying the chown is insecure . So as per your suggestion
> , I need to read each and every file of the user and do the chown
> of only required files ? Well I think it may take a little more
> time to check one million files of a user :( . Fake user won't work
> in push backups.
>
> -- -------------------------------------- Regards Sherin A
> http://www.sherin.co.in/
>
>
>
- --
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Kevin Korb Phone: (407) 252-6853
Systems Administrator Internet:
FutureQuest, Inc. Kevin at FutureQuest.net (work)
Orlando, Florida kmk at sanitarium.net (personal)
Web page: http://www.sanitarium.net/
PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIgMkkACgkQVKC1jlbQAQciMQCg6ayyhiLAk/qf40dcxb+bR8Rc
owAAoMimhfhblfnQ22uTqhzW8G+5d99v
=cG2H
-----END PGP SIGNATURE-----
More information about the rsync
mailing list