Just as we have worked hard recently to secure daemons from untrusted clients, I think we should try to secure clients that pull data from untrusted daemons.  One of the easiest ways a daemon could compromise a client is to send a symlink to a sensitive area and a file under the symlink, e.g., "foo" -> "/home/matt" and "foo/.ssh/authorized_keys".  This is essentially the same exploit that necessitates symlink munging for not-purely-chroot daemon modules, just turned around.

I would like to be able to prevent this exploit while still storing some representation of the daemon's symlinks in the destination.  A natural way to support this would be to add a client-side option --munge-symlinks that munges received symlinks and unmunges sent symlinks just like the daemon parameter.  (Of course, the prefix "/rsyncd-munged/" isn't quite accurate for a client, but let's use it anyway for compatibility.)  --munge-symlinks would also make it possible to work around bug 4037 when the receiver is not a daemon.