[Bug 13827] despite --copy-unsafe-links, rsync does not copy the referent of symlinks that point one level outside the copied tree

samba-bugs at samba.org samba-bugs at samba.org
Sat Mar 16 21:21:53 UTC 2019 

https://bugzilla.samba.org/show_bug.cgi?id=13827

--- Comment #2 from Jan Bredereke <jan at bredereke-net.de> ---
(In reply to Wayne Davison from comment #1)

Thanks, I see your point now.

Thus the problem is that the subject is rather complex, and the
man-page is quite terse on these details. A user can make a mistake
easily, as my case proves. Because of the security implications my
little script demonstrates, this is undesirable.

Therefore, I propose to improve the man-page.

The original text of the option in question, and of the next,
related option is:

  --copy-unsafe-links
         This  tells  rsync  to  copy the referent of symbolic links that
         point outside the  copied  tree.   Absolute  symlinks  are  also
         treated  like  ordinary  files,  and  so are any symlinks in the
         source path itself when --relative is used.  This option has  no
         additional effect if --copy-links was also specified.

  --safe-links
         This  tells  rsync to ignore any symbolic links which point out‐
         side the copied tree. All absolute symlinks  are  also  ignored.
         Using  this option in conjunction with --relative may give unex‐
         pected results.

For both options, I would add after the first sentence: "See the
SYMBOLIC LINKS section." -- When I looked up "--copy-unsafe-links",
I missed to notice the existence of this helpful section.

Furthermore, the notion of "copied tree" is not explained in the
man-page. Even more, the SYMBOLIC LINKS section is a bit inconsistent
with this respect. The relevant current text is:

  Symbolic  links  are  considered  unsafe  if they are absolute symlinks
  (start with /), empty, or if they contain  enough  ".."  components  to
  ascend from the directory being copied.

It should not be "directory being copied", but "tree being copied".

When this is fixed, I propose to continue the paragraph with the
following definition of the copied tree: "If the source given is
bar/baz, then the top of the tree copied is below bar. If the source
given is bar/, which contains baz, then the top of the tree copied
is below bar, too. A symbolic link slink1 in directory bar, pointing
to baz, is considered safe. A symbolic link slink2 in the same
place, pointing to ../baz, is considered unsafe."

If you consider this too lengthy, the last two sentences with the
examples could be left out.

I now consider the behaviour I discovered as being consistent. But
there is another aspect which appears to me as inconsistent with
respect to the rules you just explained. The man-page writes (in a
nice, clear way):

  A  trailing slash on the source changes this behavior to avoid creating
  an additional directory level at the destination.  You can think  of  a
  trailing / on a source as meaning "copy the contents of this directory"
  as opposed to "copy the directory by  name",  but  in  both  cases  the
  attributes  of the containing directory are transferred to the contain‐
  ing directory on the destination.  In other words, each of the  follow‐
  ing  commands copies the files in the same way, including their setting
  of the attributes of /dest/foo:

         rsync -av /src/foo /dest
         rsync -av /src/foo/ /dest/foo

In the second example, foo is above the top of the tree, but its
attributes are set, nevertheless. This is necessary if you need to
transfer /. But the concept of the tree copied becomes even harder
to grasp because of this extra rule. Unfortunately, I have no idea
on how to improve the situation here.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

More information about the rsync mailing list