Re: rssh security update breaks rsync via Synology's "hyper backup"

To: Roman Medina-Heigl Hernandez <roman@rs-labs.com>, debian-security@lists.debian.org
Subject: Re: rssh security update breaks rsync via Synology's "hyper backup"
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Fri, 15 Feb 2019 12:45:46 +0100
Message-id: <[🔎] d1a1dd3b-1b64-ce2a-0a51-e15c7ab71d16@debian.org>
In-reply-to: <[🔎] 75a71a7b-4022-0f43-5963-964a36a3ae53@rs-labs.com>
References: <[🔎] 75a71a7b-4022-0f43-5963-964a36a3ae53@rs-labs.com>

On 14/02/2019 18:06, Roman Medina-Heigl Hernandez wrote:
> Hi security-fellows,
> 
> I applied recent rssh security updates to Debian 8 (jessie) and I
> noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
> 
> The relevant log lines at my Debian server:
> 
> Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved
> Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync
> command line!
> Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute
> forbidden commands
> Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon .
> 
> Is it really unsafe to issue a "rsync --server --daemon ." command so it
> deserves to be blocked?`

There was a regression in the rssh security update. It has already been fixed in
stretch, expect an update for jessie soon.

Cheers,
Emilio

Reply to:

References:
- rssh security update breaks rsync via Synology's "hyper backup"
  - From: Roman Medina-Heigl Hernandez <roman@rs-labs.com>

Prev by Date: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by Date: Re: Upcoming stable point release (9.8)
Previous by thread: Re: rssh security update breaks rsync via Synology's "hyper backup"
Next by thread: Re: Upcoming stable point release (9.8)
Index(es):
- Date
- Thread