need help with an rsync patch

Kevin Korb kmk at
Thu Aug 29 23:48:57 MDT 2013

Hash: SHA1

Chown itself is not insecure.  The indiscriminate chowning of all
files creates security issues.

You can use --fake-super on push backups.  In fact that is what
- --fake-super is DESIGNED FOR.  You just have to make sure that
- --fake-super is running on the correct end of the backup.

You are supposed to push backups from root at localhost to
notroot at somewhere-else.  And you are supposed to do that with
- --rsync-path="/path/to/rsync --fake-super".  If you just run "rsync
- --fake-super" it won't work right.

On 08/30/13 01:02, Sherin A wrote:
> On Thursday 29 August 2013 11:46 PM, Wayne Davison wrote:
>> On Tue, Aug 27, 2013 at 8:03 PM, Sherin A <sherinmon at 
>> <mailto:sherinmon at>> wrote:
>> Hope they will report it as a  vulnerability , because this POC 
>> has been exploited successfully  and it is affected by all 
>> software that  use rsync as a backup  and restore  tool.
>> This is totally false.  The vulnerability is your insecure use
>> of chown, so you are shooting yourself in the foot. You could
>> accomplish the same bad sequence of copying/restoring using any
>> backup tool.
>> If you want to use a non-root backup store, just use --fake-super
>> on the remote side, as previously mentioned (and ensure that
>> xattrs are enabled there).
>> ..wayne..
> So you are saying the chown is insecure . So as per your suggestion
> , I need to read each and every file of the user and do the chown
> of only required files ? Well  I think it may take a little more
> time to check one million files of a user :( . Fake user won't work
> in push backups.
> -- -------------------------------------- Regards Sherin A 

- -- 
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at  (work)
	Orlando, Florida		kmk at (personal)
	Web page:
	PGP public key available on web site.
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the rsync mailing list