rsync - Apr 2016 - [Bug 11879] New: escape rrsync restricted folder

https://bugzilla.samba.org/show_bug.cgi?id=11879

            Bug ID: 11879
           Summary: escape rrsync restricted folder
           Product: rsync
           Version: 3.1.2
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: wayned at samba.org
          Reporter: fb102email-sambabugzilla at yahoo.fr
        QA Contact: rsync-qa at samba.org

It is possible to escape rrsync restricted folder by syncing (using rsync -a
...) a symbolic link to the parent folder and then syncing with this symbolic
link.

Concretely, we could do:

ln -s .. parent
rsync -acrvz . login at server:

and then we can rsync with login at server:parent to read/write files in the
parent folder of the restricted folder.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

https://bugzilla.samba.org/show_bug.cgi?id=11879

g.parrondo at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |g.parrondo at gmail.com

--- Comment #1 from g.parrondo at gmail.com ---
Created attachment 12132
  --> https://bugzilla.samba.org/attachment.cgi?id=12132&action=edit
hardcode safe-links

Adding '--safe-links' or '--munge-links' on server side should
fix this.

I actually hardcoded it on some of my servers. The version of rsync present
didn't have the --munge-links option so I used --safe-links.

I'm not proposing this change be included, it's just a
quick'n'dirty hack while
someone more experienced has an actual fix.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

https://bugzilla.samba.org/show_bug.cgi?id=11879

Nick Cleaton <nick at cleaton.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nick at cleaton.net

--- Comment #2 from Nick Cleaton <nick at cleaton.net> ---
Created attachment 14648
  --> https://bugzilla.samba.org/attachment.cgi?id=14648&action=edit
rrysnc patch to avoid following symlinks out of the restricted dir

This patch fixes it a different way, by preventing rrysnc from following
symlinks out of the restricted dir rather than by blocking their creation.

This comes at the cost of adding a lock to prevent any other rrsync running at
the same time as a write rrsync. Without that, an attacker could bypass the
check by replacing a directory with a symlink after rrsync has checked it but
before rsync has opened it.

It's still somewhat less secure than adding --munge-links, because it's
more
complex.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

https://bugzilla.samba.org/show_bug.cgi?id=11879

Nick Cleaton <nick at cleaton.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #14648|0                           |1
        is obsolete|                            |

--- Comment #3 from Nick Cleaton <nick at cleaton.net> ---
Created attachment 14658
  --> https://bugzilla.samba.org/attachment.cgi?id=14658&action=edit
revised patch that also abs_path checks option args

revised patch: I forgot to abs_path check file option args

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

https://bugzilla.samba.org/show_bug.cgi?id=11879

Nick Cleaton <nick at cleaton.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #14658|0                           |1
        is obsolete|                            |

--- Comment #4 from Nick Cleaton <nick at cleaton.net> ---
Created attachment 14662
  --> https://bugzilla.samba.org/attachment.cgi?id=14662&action=edit
rrsync patch again, third time's the charm

Revised patch again, disallow any rsync option that might cause it to follow a
symlink out of the restricted dir.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

https://bugzilla.samba.org/show_bug.cgi?id=11879

Wayne Davison <wayne at opencoder.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #5 from Wayne Davison <wayne at opencoder.net> ---
The latest rsync has a default lock similar to what you proposed (it just locks
the restricted dir, not a separate file) and the improved arg checking and
rejected symlink-copying options.  It also accepts a "-munge" option
(in the
accepted_keys file) that can be used to enable rsync's symlink munging,
possibly combined with a new "-no-lock" option to disable the new
single-use
instance locking.

Thanks for your patch, and apologies that it is so late.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.