[Bug 13364] rsyncd clips trims relative symlinks outside of source tree

Wed Apr 4 21:47:41 UTC 2018

On 04/04/18 20:52, just subscribed for rsync-qa from bugzilla via rsync
wrote:
> https://bugzilla.samba.org/show_bug.cgi?id=13364
> 
> --- Comment #3 from Chris Severance <samba.severach at spamgourmet.com> ---
>> enable munge-symlinks. That way the client will get back the same out-of-tree symlink as it started with
> 
> This is a lousy option for backups. The only way to get my original links back
> is to pull the restore through rsync. Restoring directly from the rsyncd server
> will copy the munged links.

It's a very sensible option for *backups* i.e. where one host holds a
*backup* copy of the contents of another host's filesystem, but does not
itself use or interpret those contents.

Another useful option for a genuine backup server is --fake-super, so
the user-ids and permissions on the two systems don't have to be
correlated, and a non-root backup daemon can back up files that are
owned by any user. But again, you have to use rsync to reverse the effect.

>> Unless you want the symlinks to be usable on the server
> 
> This is exactly what is required. It's not a server at all. It's two clients
> both of which must have the same usable tree, one of which runs rsyncd to
> accept updates from the other.

So the problem is that you're trying to implement a symmetric p2p
operation using an explicitly asymmetric client-daemon (server) mode.
If you use the non-daemon mode you can initiate the operation from
either peer, and there are no limitations on the targets of symlinks
(with the right choice of options).

Why do you think it's necessary to use the daemon mode?

> I tried enabling chroot and the leading path was still clipped client->server.
> 
>> There are tricky ways to work around this
> 
> This is what I'm looking for. There should be no security for --links since
> copying links can never reach outside the server tree. --copy-links and
> --copy-unsafe-links could reach outside the tree so need to be limited whether
> or not the unsafe link was from the client.

Huh? If you allow a client to upload an unmunged symlink to (say)
/etc/passwd into a r/w directory on the server, and then download it
with the --copy-links option, the client gets a copy of the server's
real /etc/passwd, even though that file doesn't lie under the path=
parameter in the daemon config file. That's a fairly big security hole
if one's not *very* careful about setting appropriately limited uid/gid
mappings in the config -- and if you do that, then you can't back up
files with arbitrary ownership.

> I can build the links on both clients so --safe-links could work but I need a
> way to silence the warnings out of the -v listing.
> 
> Shortening the rsyncd "path=" so that the links become inside the tree could
> work but rsync has no usable way to specify only one directory without causing
> the links to be considered outside outside the tree.
> 
> cd baz2; rsync ./ rsync://.../baz1/ # original case
> 
> rsync bar2/ rsync://.../root/bar1/ # shortened path=
> 
> Links going to bar1 accessible by /root/ are considered outside of the bar1
> tree and clipped.

Create a dummy bar1/ on the client and include it in the files being
uploaded?

.D.