[Bug 12576] New: popt aliases allow users to bypass sudo argument restrictions

samba-bugs at samba.org samba-bugs at samba.org
Sat Feb 11 22:21:39 UTC 2017 

https://bugzilla.samba.org/show_bug.cgi?id=12576

            Bug ID: 12576
           Summary: popt aliases allow users to bypass sudo argument
                    restrictions
           Product: rsync
           Version: 3.1.3
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: wayned at samba.org
          Reporter: samba-bugs at PaulSD.com
        QA Contact: rsync-qa at samba.org

My goal is to allow a specific user to read but not write a specific file as
root using rsync via SSH.

The obvious solution was to configure /etc/rsyncd.conf to allow read-only
access to the file, then add "user ALL=(root) NOPASSWD:/usr/bin/rsync --server
--daemon ." to /etc/sudoers, then have the user run `rsync --rsh=ssh
--rsync-path='sudo rsync' host::module/file .`

However, this is not as secure as it appears.  Unfortunately, the popt alias
feature allows the user to replace the rsync arguments with almost any other
arbitrary rsync arguments, which effectively gives the user full root access to
the system.  For example, the user can add the following to /home/user/.popt
and run `sudo rsync --server --daemon .` to read the contents of /etc/shadow:
rsync alias --server -v
rsync alias --daemon /etc/shadow

This can be prevented by setting the 'always_set_home' option in sudoers (so
that only root's popt config is read), although this setting is global and may
not be desirable in all cases.  This can also be prevented by creating a shell
script that overrides $HOME then runs rsync, and using that shell script
instead of rsync in both sudoers and --rsync-path.  However, that is an
unintuitive solution that few users are likely to implement unless a giant
disclaimer is added to the documentation.  This really seems like a problem
that should be solved in rsync itself.

In the rsync code, popt aliases are explicitly disabled when '--server' or
'--daemon' is used, but only after those arguments have been parsed with popt
aliases enabled, which is why the above example is able to use popt aliases to
override those arguments.  The first attached patch checks for '--server' or
'--daemon' before enabling popt aliases, which fixes this issue when '--server'
or '--daemon' are used.

The second attached patch adds a new '--no-popt-aliases' argument.  This
explicitly disables popt aliases and may be used to allow rsync to be
safely run using sudo with an argument list that does not include '--server' or
'--daemon'.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list