[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rssh security update breaks rsync via Synology's "hyper backup"

Roman Medina-Heigl Hernandez <roman@rs-labs.com> writes:
> El 18/02/2019 a las 18:27, Russ Allbery escribió:

>> While I agree that using undocumented features of rsync is a little
>> dubious, I'm also willing to include a fix to allow the specific
>> command line "rsync --server --daemon <path>" since (a) it seems to be
>> safe, (b) looks easy enough to do, and (c) my only goal with rssh at
>> this point is to keep it working through the stable support period, so
>> I'm not too worried about the long-term maintenance burden of one-off
>> hacks like that.
>> I should be able to do this later today.
>> Does this plan sound good to everyone?  I'll follow up with the
>> proposed diffs for stable and oldstable.

> If you want, shoot me with a .deb I could install in oldstable in order
> to test the "rsync --server --daemon" fix.

Unfortunately, I took a closer look, and it turns out that this command
was never safe.  It also allows arbitrary code excution on the server
side if the client can write to $HOME.  This is because:

          This specifies an alternate config file than the default.  This
          is only relevant when --daemon is specified.  The default is
          /etc/rsyncd.conf unless the daemon is running over a remote
          shell program and the remote user is not the super-user; in that
          case the default is rsyncd.conf in the current directory
          (typically $HOME).

That behavior of loading rsyncd.conf from the current directory was the
piece I had missed before.

Presumably, this is exactly the behavior that Synology relies on, but this
means that if the client can write to this configuration file, it can just
include a pre-xfer exec setting in that rsyncd.conf file and run commands
on the server side.

So, unfortunately we won't be able to fix Synology in a stable update,
since it was relying on insecure behavior.  I'll continue with an update
to fix the libssh2 regression.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: