rsync - Feb 2007 - Client can trick daemon into running server code with am_server == 0

Dear rsync people (particularly Wayne),

I noticed that an rsync daemon counts on the client sending a --server
option so that am_server gets set to 1.  If the client doesn't supply
this option, am_server remains 0 but the daemon runs start_server
anyway.  This is potentially dangerous and might lead to a security
hole, although I haven't found one yet.  I suggest that the daemon
either set am_server = 1 explicitly or drop the connection with an
error if the client doesn't supply --server.

Matt

Matt McCutchen wrote:
> Dear rsync people (particularly Wayne),
>
> I noticed that an rsync daemon counts on the client sending a --server
> option so that am_server gets set to 1.  If the client doesn't supply

This can only happen in the remote-shell situcation, not at any 
anonymous connections.
So I think it's safe imho.
> this option, am_server remains 0 but the daemon runs start_server
> anyway.  This is potentially dangerous and might lead to a security
> hole, although I haven't found one yet.  I suggest that the daemon
> either set am_server = 1 explicitly or drop the connection with an
> error if the client doesn't supply --server. 
-- 

Qi Yong

On Wed, Feb 14, 2007 at 10:31:18PM -0500, Matt McCutchen
wrote:
> I noticed that an rsync daemon counts on the client sending a --server
> option so that am_server gets set to 1.
Yeah, we don't want that.  I checked in this change:

--- clientserver.c	4 Feb 2007 14:54:59 -0000	1.195
+++ clientserver.c	16 Feb 2007 01:20:29 -0000	1.196
@@ -626,6 +626,7 @@ static int rsync_module(int f_in, int f_
 	verbose = 0; /* future verbosity is controlled by client options */
 	ret = parse_arguments(&argc, (const char ***) &argv, 0);
 	quiet = 0; /* Don't let someone try to be tricky. */
+	am_server = 1; /* ditto */
 	if (lp_ignore_errors(module_id))
 		ignore_errors = 1;
 

..wayne..