Re: rssh security update breaks rsync via Synology's "hyper backup"
[debian-security@lists.debian.org → Bcc]
Holger Levsen wrote:
> > I applied recent rssh security updates to Debian 8 (jessie) and I
> > noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
> >
> > Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
> > Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
> > command line!
> > Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
> > forbidden commands
> > Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
> >
> > Is it really unsafe to issue a "rsync --server --daemon ." command so it
> > deserves to be blocked?`
FYI this is the patch in question:
https://sources.debian.org/src/rssh/2.3.4-11/debian/patches/0007-Verify-rsync-command-options.patch/#L15-L20
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply to: