Bug 11879 - escape rrsync restricted folder
Summary: escape rrsync restricted folder
Status: RESOLVED FIXED
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.1.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-28 15:52 UTC by fb102email-sambabugzilla
Modified: 2021-12-28 02:12 UTC (History)
2 users (show)

See Also:

Attachments
hardcode safe-links (345 bytes, text/plain)
2016-05-26 16:12 UTC, g.parrondo 		no flags Details
rrysnc patch to avoid following symlinks out of the restricted dir (2.28 KB, patch)
2018-11-13 06:23 UTC, Nick Cleaton 		no flags Details
revised patch that also abs_path checks option args (2.48 KB, patch)
2018-11-14 06:35 UTC, Nick Cleaton 		no flags Details
rrsync patch again, third time's the charm (3.62 KB, patch)
2018-11-15 22:40 UTC, Nick Cleaton 		no flags Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description fb102email-sambabugzilla 2016-04-28 15:52:40 UTC 
It is possible to escape rrsync restricted folder by syncing (using rsync -a ...) a symbolic link to the parent folder and then syncing with this symbolic link.

Concretely, we could do:

ln -s .. parent
rsync -acrvz . login@server:

and then we can rsync with login@server:parent to read/write files in the parent folder of the restricted folder.
Comment 1 g.parrondo 2016-05-26 16:12:06 UTC 
Created attachment 12132 [details]
hardcode safe-links

Adding '--safe-links' or '--munge-links' on server side should fix this. 

I actually hardcoded it on some of my servers. The version of rsync present didn't have the --munge-links option so I used --safe-links.

I'm not proposing this change be included, it's just a quick'n'dirty hack while someone more experienced has an actual fix.
Comment 2 Nick Cleaton 2018-11-13 06:23:43 UTC 
Created attachment 14648 [details]
rrysnc patch to avoid following symlinks out of the restricted dir

This patch fixes it a different way, by preventing rrysnc from following symlinks out of the restricted dir rather than by blocking their creation.

This comes at the cost of adding a lock to prevent any other rrsync running at the same time as a write rrsync. Without that, an attacker could bypass the check by replacing a directory with a symlink after rrsync has checked it but before rsync has opened it.

It's still somewhat less secure than adding --munge-links, because it's more complex.
Comment 3 Nick Cleaton 2018-11-14 06:35:09 UTC 
Created attachment 14658 [details]
revised patch that also abs_path checks option args

revised patch: I forgot to abs_path check file option args
Comment 4 Nick Cleaton 2018-11-15 22:40:37 UTC 
Created attachment 14662 [details]
rrsync patch again, third time's the charm

Revised patch again, disallow any rsync option that might cause it to follow a symlink out of the restricted dir.
Comment 5 Wayne Davison 2021-12-28 02:12:31 UTC 
The latest rsync has a default lock similar to what you proposed (it just locks the restricted dir, not a separate file) and the improved arg checking and rejected symlink-copying options.  It also accepts a "-munge" option (in the accepted_keys file) that can be used to enable rsync's symlink munging, possibly combined with a new "-no-lock" option to disable the new single-use instance locking.

Thanks for your patch, and apologies that it is so late.