The Samba-Bugzilla – Bug 1573
module revealed thru error msg even with "list = no"
Last modified: 2005-03-16 16:48:20 UTC
"list = no" correctly hides via rsync _server_::, however if one tries
rsync _server_::_existing-module_/ and does not have permission, one gets
@ERROR: access denied to _user_ from _client_, whereas an attempt for a
non-existent module emits @ERROR: Unknown module '_non-existent-module_'
If "list = no" is used for security purposes (can't think of another reason at
the moment), this can be considered a security bug and thus I left severity at
normal instead of labeling it minor.
It's easy enough to lie to the user and tell them that the module is unknown
when they fail to access a module that has "list = no" set (while still logging
the real error into the server's log file). I've checked-in a change to CVS.