Matt McCutchen
2005-Oct-13 14:34 UTC
Worrisome race condition involving half-transferred files
Rsync people,
Tell me if I'm wrong, but rsync seems to have a very serious race
condition that would make it risky to transfer files into a directory
writable by someone you don't trust if permissions are going to be
granted to other people on those files.
The rsync receiver creates a half-transferred file with 600 or 700
permissions; then the receiver writes the data and finalizes the
permissions with "set_perms".
Consider this scenario. User1 and user2 are both in a group "foo".
"/foo" is the group's shared space; anyone in "foo" can
write this
folder. User1 is using rsync to transfer a file "bar" into this
folder;
"bar" is also to be writable by anyone in "foo". Watch:
user1 rsync receiver: open("/foo/.bar.a1b2c3", O_WRONLY, 0600)
user1 rsync receiver: write a bunch of data to the file descriptor
user2: rm /foo/.bar.a1b2c3
user2: ln ~user1/.bashrc .bar.a1b2c3
user1 rsync receiver: write more data to the file descriptor
user1 rsync receiver: close the file descriptor
user1 rsync receiver: chmod("/foo/.bar.a1b2c3", 660)
Note that at this point the actual "bar" file is gone and user1 has
accidentally changed the permissions of her own "~/.bashrc" file.
user1 rsync receiver: chown("/foo/.bar.a1b2c3", user1, foo)
user2: write into ~user1/.bashrc:
"echo key-belonging-to-user2 >>~/.ssh/authorized_keys"
user1: start a bash
user2: ssh in and gain user1's privileges
This is bad. Having the receiver use fchmod, fchown, etc. on the file
descriptor would help. However, the fact that rsync uses paths from the
top of the transfer for just about everything makes me suspect there
might be other similarly dangerous race conditions.
--
Matt McCutchen, ``hashproduct''
hashproduct@verizon.net -- http://mysite.verizon.net/hashproduct/
Wayne Davison
2005-Oct-14 21:34 UTC
Worrisome race condition involving half-transferred files
On Thu, Oct 13, 2005 at 10:31:43AM -0400, Matt McCutchen wrote:> Tell me if I'm wrong, but rsync seems to have a very serious race > condition that would make it risky to transfer files into a directory > writable by someone you don't trust if permissions are going to be > granted to other people on those files.This is not something that is unique to rsync. For instance, if I hard-link a file in that dir to a file that is owned by root, and root uses "cp" to update that file, the hard-linked, root-owned file will be affected. One way to avoid a race like the one your cited is to use the --temp-dir option: as long as your --temp-dir is on the same partition as the destination dir and is only writable by you, you can avoid the permission-changing problem you cited. It might be worthwhile to also look into modifying rsync to use fchmod() when possible, but in reality, if you're updating files in a directory where you don't trust the users, there are lots of ways for them to cause you trouble. ..wayne..