[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rssh security update breaks rsync via Synology's "hyper backup"

[debian-security@lists.debian.org → Bcc]

Holger Levsen wrote:

> > I applied recent rssh security updates to Debian 8 (jessie) and I
> > noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
> > 
> > Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
> > Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
> > command line!
> > Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
> > forbidden commands
> > Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
> > 
> > Is it really unsafe to issue a "rsync --server --daemon ." command so it
> > deserves to be blocked?`

FYI this is the patch in question:

https://sources.debian.org/src/rssh/2.3.4-11/debian/patches/0007-Verify-rsync-command-options.patch/#L15-L20


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-
Reply to: