The Samba-Bugzilla – Bug 11879
escape rrsync restricted folder
Last modified: 2018-11-15 22:40:37 UTC
It is possible to escape rrsync restricted folder by syncing (using rsync -a ...) a symbolic link to the parent folder and then syncing with this symbolic link.
Concretely, we could do:
ln -s .. parent
rsync -acrvz . login@server:
and then we can rsync with login@server:parent to read/write files in the parent folder of the restricted folder.
Created attachment 12132 [details]
Adding '--safe-links' or '--munge-links' on server side should fix this.
I actually hardcoded it on some of my servers. The version of rsync present didn't have the --munge-links option so I used --safe-links.
I'm not proposing this change be included, it's just a quick'n'dirty hack while someone more experienced has an actual fix.
Created attachment 14648 [details]
rrysnc patch to avoid following symlinks out of the restricted dir
This patch fixes it a different way, by preventing rrysnc from following symlinks out of the restricted dir rather than by blocking their creation.
This comes at the cost of adding a lock to prevent any other rrsync running at the same time as a write rrsync. Without that, an attacker could bypass the check by replacing a directory with a symlink after rrsync has checked it but before rsync has opened it.
It's still somewhat less secure than adding --munge-links, because it's more complex.
Created attachment 14658 [details]
revised patch that also abs_path checks option args
revised patch: I forgot to abs_path check file option args
Created attachment 14662 [details]
rrsync patch again, third time's the charm
Revised patch again, disallow any rsync option that might cause it to follow a symlink out of the restricted dir.