[Bug 12576] popt aliases allow users to bypass sudo argument restrictions

samba-bugs at samba.org samba-bugs at samba.org
Sun Feb 12 17:06:20 UTC 2017


--- Comment #6 from Paul Donohue <samba-bugs at PaulSD.com> ---
This all makes sense, I appreciate the suggestions, and I may actually
implement some of this.

However, the existence of this rrsync solution doesn't change the fact that
there exists another simple and obvious solution using sudo which has a giant
undocumented security hole related to an unusual, undocumented, and not widely
used feature of rsync (popt aliases).

My goal for this bug report is to either get a disclaimer added to the rsync
man page (which documents popt aliases feature, explains the security
implications, and suggests mitigations and/or alternative solutions to avoid
security issues, including this rrsync solution), or to get the attached
trivial patches merged to help mitigate this security issue without requiring
users to wrap complicated scripts around rsync or avoid the use of sudo.

Security is hard enough to get right when everything works in a consistent and
intuitive manner.  Having an unusual, unintuitive, and undocumented feature
with significant undocumented security implications is just asking for trouble.

You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list