is "unintended library loading" actually possible?

a.ikonnikov at a.ikonnikov at
Sat Jun 9 13:52:56 UTC 2018

Please, help me understand if 'use chroot' option in daemon config is 
secure enough.
Rsync manual has following lines:

    As an additional safety feature, you can specify a dot-dir in the
    "path" to indicate the point where the chroot should occur.  This
    allows rsync
    to run in a chroot with a non-"/" path for the top of the transfer
    Doing this guards against unintended library loading (since those
    paths will not be inside the transfer hierarchy unless you have used
    an unwise
    pathname), and lets you setup libraries for the chroot that are
    outside of the
    transfer.  For example, specifying "/var/rsync/./module1" will
    chroot to the
    "/var/rsync" directory and set the inside-chroot path to
    "/module1".  If you
    had omitted the dot-dir, the chroot would have used the whole path,
    and the
    inside-chroot path would have been "/".

It *implies* that there could be a situation when rsync (in daemon mode) 
loads some libraries *after* doing chroot system call. But is this 
really possible?
when stracing rsync daemon, I see no attempts to load libraries after 
calling chroot:

    [pid 42312] geteuid()                   = 0
    [pid 42312] chroot("/var/lib/mysql/") = 0
    [pid 42312] chdir("/")                  = 0
    [pid 42312] setgid(0)                   = 0
    [pid 42312] setgroups(1, [0])           = 0
    [pid 42312] setuid(0)                   = 0
    [pid 42312] setresuid(-1, 0, -1)        = 0
    [pid 42312] geteuid()                   = 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rsync mailing list