rssh security update breaks rsync via Synology's "hyper backup"
Hi security-fellows,
I applied recent rssh security updates to Debian 8 (jessie) and I
noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
The relevant log lines at my Debian server:
Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
command line!
Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
forbidden commands
Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
Is it really unsafe to issue a "rsync --server --daemon ." command so it
deserves to be blocked?`
PS: OS info:
root@roman:~# cat /etc/debian_version
8.11
root@roman:~# dpkg -l rssh
Deseado=desconocido(U)/Instalar/eliminaR/Purgar/retener(H)
|
Estado=No/Inst/ficheros-Conf/desempaqUetado/medio-conF/medio-inst(H)/espera-disparo(W)/pendienTe-disparo
|/ Err?=(ninguno)/requiere-Reinst (Estado,Err: mayúsc.=malo)
||/ Nombre Versión
Arquitectura Descripción
+++-=====================================-=======================-=======================-================================================================================
ii rssh 2.3.4-4+deb8u2
amd64 Restricted shell allowing scp, sftp, cvs, svn,
rsync or rdist
PS2: I'm not suscribed to LTS-list, but I guess the problem may be both
in stable and oldstable versions.
Cheers,
-Román
Reply to: