[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rssh security update breaks rsync via Synology's "hyper backup"

Added Russ (rssh maintainer).

I cannot probe it but I guess chances are high that the issue is present
both in stable and oldstable (I cannot find a good reason to filter
different commands: solution should be the same or very similar) so I'm
still keeping debian-security in the loop.

PS: Thx Holger & Chris.



El 14/02/2019 a las 18:47, Chris Lamb escribió:
> [debian-security@lists.debian.org → Bcc]
> Holger Levsen wrote:
>>> I applied recent rssh security updates to Debian 8 (jessie) and I
>>> noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
>>> Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
>>> Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
>>> command line!
>>> Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
>>> forbidden commands
>>> Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
>>> Is it really unsafe to issue a "rsync --server --daemon ." command so it
>>> deserves to be blocked?`
> FYI this is the patch in question:
> https://sources.debian.org/src/rssh/2.3.4-11/debian/patches/0007-Verify-rsync-command-options.patch/#L15-L20
> Regards,

Reply to: