need help with an rsync patch

Kevin Korb kmk at sanitarium.net
Thu Aug 29 23:48:57 MDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chown itself is not insecure.  The indiscriminate chowning of all
files creates security issues.

You can use --fake-super on push backups.  In fact that is what
- --fake-super is DESIGNED FOR.  You just have to make sure that
- --fake-super is running on the correct end of the backup.

You are supposed to push backups from root at localhost to
notroot at somewhere-else.  And you are supposed to do that with
- --rsync-path="/path/to/rsync --fake-super".  If you just run "rsync
- --fake-super" it won't work right.

On 08/30/13 01:02, Sherin A wrote:
> On Thursday 29 August 2013 11:46 PM, Wayne Davison wrote:
>> On Tue, Aug 27, 2013 at 8:03 PM, Sherin A <sherinmon at gmail.com 
>> <mailto:sherinmon at gmail.com>> wrote:
>> 
>> Hope they will report it as a  vulnerability , because this POC 
>> has been exploited successfully  and it is affected by all 
>> software that  use rsync as a backup  and restore  tool.
>> 
>> 
>> This is totally false.  The vulnerability is your insecure use
>> of chown, so you are shooting yourself in the foot. You could
>> accomplish the same bad sequence of copying/restoring using any
>> backup tool.
>> 
>> If you want to use a non-root backup store, just use --fake-super
>> on the remote side, as previously mentioned (and ensure that
>> xattrs are enabled there).
>> 
>> ..wayne..
> So you are saying the chown is insecure . So as per your suggestion
> , I need to read each and every file of the user and do the chown
> of only required files ? Well  I think it may take a little more
> time to check one million files of a user :( . Fake user won't work
> in push backups.
> 
> -- -------------------------------------- Regards Sherin A 
> http://www.sherin.co.in/
> 
> 
> 

- -- 
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIgMkkACgkQVKC1jlbQAQciMQCg6ayyhiLAk/qf40dcxb+bR8Rc
owAAoMimhfhblfnQ22uTqhzW8G+5d99v
=cG2H
-----END PGP SIGNATURE-----

More information about the rsync mailing list