Re: rssh security update breaks rsync via Synology's "hyper backup"

To: Roman Medina-Heigl Hernandez <roman@rs-labs.com>, debian-lts@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: rssh security update breaks rsync via Synology's "hyper backup"
From: Holger Levsen <holger@layer-acht.org>
Date: Thu, 14 Feb 2019 17:34:43 +0000
Message-id: <[🔎] 20190214173443.cupioumebaklmlab@layer-acht.org>
In-reply-to: <75a71a7b-4022-0f43-5963-964a36a3ae53@rs-labs.com>
References: <75a71a7b-4022-0f43-5963-964a36a3ae53@rs-labs.com>

Hi Roman,

the security team is not responsible for Debian LTS, I've thus added 
debian-lts@lists.d.o to the mail recipients, so that they become aware
of your issue.

On Thu, Feb 14, 2019 at 06:06:34PM +0100, Roman Medina-Heigl Hernandez wrote:
> Hi security-fellows,
> 
> I applied recent rssh security updates to Debian 8 (jessie) and I
> noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
> 
> The relevant log lines at my Debian server:
> 
> Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
> Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
> command line!
> Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
> forbidden commands
> Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
> 
> Is it really unsafe to issue a "rsync --server --daemon ." command so it
> deserves to be blocked?`
> 
> 
> PS: OS info:
> 
> root@roman:~# cat /etc/debian_version
> 8.11
> root@roman:~# dpkg -l rssh           
> Deseado=desconocido(U)/Instalar/eliminaR/Purgar/retener(H)
> |
> Estado=No/Inst/ficheros-Conf/desempaqUetado/medio-conF/medio-inst(H)/espera-disparo(W)/pendienTe-disparo
> |/ Err?=(ninguno)/requiere-Reinst (Estado,Err: mayúsc.=malo)
> ||/ Nombre                                Versión                
> Arquitectura            Descripción
> +++-=====================================-=======================-=======================-================================================================================
> ii  rssh                                  2.3.4-4+deb8u2         
> amd64                   Restricted shell allowing scp, sftp, cvs, svn,
> rsync or rdist
> 
> PS2: I'm not suscribed to LTS-list, but I guess the problem may be both
> in stable and oldstable versions.
> 
> Cheers,
> 
> -Román
> 

-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

In Europe there are people prosecuted by courts because they saved other people
from drowning in the  Mediterranean Sea.  That is almost as absurd  as if there
were people being prosecuted because they save humans from drowning in the sea.

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Re: [SECURITY] [DSA 4371-1] apt security update
Next by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Previous by thread: Re: [SECURITY] [DLA 1675-1] python-gnupg security update
Next by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Index(es):
- Date
- Thread