It strikes me that the excluded_below mechanism at the beginning of recv_generator is useless from a security perspective. When a client pushes a daemon-excluded directory, the excluded_below mechanism causes the pushed contents of the directory to be skipped as well as the directory itself. However, the client can just as easily push descendant files individually. If the daemon administrator wants to stop that, she has to use a "/secret/***"-style rule (as the man page has recommended since rsync 2.6.4), and then excluded_below serves no purpose. I propose removing excluded_below. This would only make daemons that are already insecure more glaringly so, and it would have the benefits of simplifying the code and making any weaknesses in the daemon-exclude checking more likely to be discovered. Matt
On Sun, Mar 09, 2008 at 08:24:53PM -0400, Matt McCutchen wrote:> I propose removing excluded_below. This would only make daemons that > are already insecure more glaringly so, and it would have the benefits > of simplifying the code and making any weaknesses in the daemon-exclude > checking more likely to be discovered.I decided to fix some of the problems with daemon exclusions instead. I also simplified the exclude code in the generator so that it shares some of the missing_below code instead of having its own, duplicative, excluded_below variables. The latest version in the git repository has thwarted my attempts at receiving or sending files inside an excluded directory. ..wayne..
On Tue, 2008-03-18 at 11:51 -0700, Wayne Davison wrote:> The latest version in the git repository has thwarted my attempts at > receiving or sending files inside an excluded directory.With "exclude = /secret" in the configuration file, I can still pull the contents of a daemon-excluded directory like this: rsync-dev -r -vi rsync://user@localhost:3141/module/./secret/ download/ And like this: rsync-dev -r -vi --files-from=<(echo secret/) --no-R rsync://user@localhost:3141/module/ download/ BTW, what is the purpose of leaving the path truncated in "filter_server_path"? This makes it possible to distinguish between a nonexistent and daemon-excluded dir /secret by trying to pull /secret/X/ and seeing whether the path in the error message is truncated. Matt