Bug 11879 - escape rrsync restricted folder
escape rrsync restricted folder
Status: NEW
Product: rsync
Classification: Unclassified
Component: core
3.1.2
All All
: P5 normal
: ---
Assigned To: Wayne Davison
Rsync QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-28 15:52 UTC by fb102email-sambabugzilla
Modified: 2018-11-15 22:40 UTC (History)
2 users (show)

See Also:


Attachments
hardcode safe-links (345 bytes, text/plain)
2016-05-26 16:12 UTC, g.parrondo
no flags Details
rrysnc patch to avoid following symlinks out of the restricted dir (2.28 KB, patch)
2018-11-13 06:23 UTC, Nick Cleaton
no flags Details
revised patch that also abs_path checks option args (2.48 KB, patch)
2018-11-14 06:35 UTC, Nick Cleaton
no flags Details
rrsync patch again, third time's the charm (3.62 KB, patch)
2018-11-15 22:40 UTC, Nick Cleaton
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description fb102email-sambabugzilla 2016-04-28 15:52:40 UTC
It is possible to escape rrsync restricted folder by syncing (using rsync -a ...) a symbolic link to the parent folder and then syncing with this symbolic link.

Concretely, we could do:

ln -s .. parent
rsync -acrvz . login@server:

and then we can rsync with login@server:parent to read/write files in the parent folder of the restricted folder.
Comment 1 g.parrondo 2016-05-26 16:12:06 UTC
Created attachment 12132 [details]
hardcode safe-links

Adding '--safe-links' or '--munge-links' on server side should fix this. 

I actually hardcoded it on some of my servers. The version of rsync present didn't have the --munge-links option so I used --safe-links.

I'm not proposing this change be included, it's just a quick'n'dirty hack while someone more experienced has an actual fix.
Comment 2 Nick Cleaton 2018-11-13 06:23:43 UTC
Created attachment 14648 [details]
rrysnc patch to avoid following symlinks out of the restricted dir

This patch fixes it a different way, by preventing rrysnc from following symlinks out of the restricted dir rather than by blocking their creation.

This comes at the cost of adding a lock to prevent any other rrsync running at the same time as a write rrsync. Without that, an attacker could bypass the check by replacing a directory with a symlink after rrsync has checked it but before rsync has opened it.

It's still somewhat less secure than adding --munge-links, because it's more complex.
Comment 3 Nick Cleaton 2018-11-14 06:35:09 UTC
Created attachment 14658 [details]
revised patch that also abs_path checks option args

revised patch: I forgot to abs_path check file option args
Comment 4 Nick Cleaton 2018-11-15 22:40:37 UTC
Created attachment 14662 [details]
rrsync patch again, third time's the charm

Revised patch again, disallow any rsync option that might cause it to follow a symlink out of the restricted dir.