Re: rssh security update breaks rsync via Synology's "hyper backup"

To: Chris Lamb <lamby@debian.org>, Holger Levsen <holger@layer-acht.org>, debian-lts@lists.debian.org, Russ Allbery <rra@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: rssh security update breaks rsync via Synology's "hyper backup"
From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>
Date: Thu, 14 Feb 2019 18:56:05 +0100
Message-id: <[🔎] ad2e1037-dbe9-4180-9dfd-d458faaac610@rs-labs.com>
In-reply-to: <[🔎] 1550166453.328076.1658087792.7E953D37@webmail.messagingengine.com>
References: <75a71a7b-4022-0f43-5963-964a36a3ae53@rs-labs.com> <[🔎] 20190214173443.cupioumebaklmlab@layer-acht.org> <[🔎] 1550166453.328076.1658087792.7E953D37@webmail.messagingengine.com>

Added Russ (rssh maintainer).

I cannot probe it but I guess chances are high that the issue is present
both in stable and oldstable (I cannot find a good reason to filter
different commands: solution should be the same or very similar) so I'm
still keeping debian-security in the loop.


PS: Thx Holger & Chris.

Cheers,

-Román


El 14/02/2019 a las 18:47, Chris Lamb escribió:
> [debian-security@lists.debian.org → Bcc]
>
> Holger Levsen wrote:
>
>>> I applied recent rssh security updates to Debian 8 (jessie) and I
>>> noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
>>>
>>> Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
>>> Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
>>> command line!
>>> Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
>>> forbidden commands
>>> Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
>>>
>>> Is it really unsafe to issue a "rsync --server --daemon ." command so it
>>> deserves to be blocked?`
> FYI this is the patch in question:
>
> https://sources.debian.org/src/rssh/2.3.4-11/debian/patches/0007-Verify-rsync-command-options.patch/#L15-L20
>
>
> Regards,
>

Reply to:

Follow-Ups:
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Russ Allbery <rra@debian.org>

References:
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Holger Levsen <holger@layer-acht.org>
- Re: rssh security update breaks rsync via Synology's "hyper backup"
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Previous by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Index(es):
- Date
- Thread