samba-bugs at samba.org
2017-Jun-04 21:13 UTC
[Bug 12817] New: [PATCH] Allow daemon itself to chroot
https://bugzilla.samba.org/show_bug.cgi?id=12817
Bug ID: 12817
Summary: [PATCH] Allow daemon itself to chroot
Product: rsync
Version: 3.1.2
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: core
Assignee: wayned at samba.org
Reporter: ben.rubson at gmail.com
QA Contact: rsync-qa at samba.org
Created attachment 13248
--> https://bugzilla.samba.org/attachment.cgi?id=13248&action=edit
rsync_daemon_chroot
Hello,
Here is a patch which adds 3 new parameters to rsyncd.conf :
daemon chroot
daemon gid
daemon uid
The first one is a path to a directory the daemon itself will chroot to before
beginning communication with clients.
The 2 others are the uid/gid the daemon itself will switch to before beginning
communication with clients.
These parameters can improve security.
For example, using daemon via a restricted remote-shell connection, for
security reasons, if we want whole rsync to be chrooted, we can now use :
daemon chroot = /home/%SUDO_USER%/rsync/
daemon uid = %SUDO_UID%
daemon gid = %SUDO_GID%
With of course rsync being sudo-called by the restricted shell (to configure
properly).
We could already do this without this patch, using the "use chroot"
parameter,
but then the daemon itself is not chrooted and remains run by root.
Thank you !
Ben
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2017-Jun-05 09:27 UTC
[Bug 12817] [PATCH] Allow daemon itself to chroot
https://bugzilla.samba.org/show_bug.cgi?id=12817
Ben RUBSON <ben.rubson at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #13248|0 |1
is obsolete| |
--- Comment #1 from Ben RUBSON <ben.rubson at gmail.com> ---
Created attachment 13249
--> https://bugzilla.samba.org/attachment.cgi?id=13249&action=edit
rsync_daemon_chroot
Minor issue corrected : do not forget to init log before chrooting.
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2017-Jun-05 09:46 UTC
[Bug 12817] [PATCH] Allow daemon itself to chroot
https://bugzilla.samba.org/show_bug.cgi?id=12817
Ben RUBSON <ben.rubson at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #13249|0 |1
is obsolete| |
--- Comment #2 from Ben RUBSON <ben.rubson at gmail.com> ---
Created attachment 13250
--> https://bugzilla.samba.org/attachment.cgi?id=13250&action=edit
rsync_daemon_chroot
Minor issue corrected : do not forget to init log before chrooting + typo.
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2017-Jun-05 13:31 UTC
[Bug 12817] [PATCH] Allow daemon itself to chroot
https://bugzilla.samba.org/show_bug.cgi?id=12817
Ben RUBSON <ben.rubson at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #13250|0 |1
is obsolete| |
--- Comment #3 from Ben RUBSON <ben.rubson at gmail.com> ---
Created attachment 13251
--> https://bugzilla.samba.org/attachment.cgi?id=13251&action=edit
rsync_daemon_chroot
Minor issue corrected : do not forget to not sanitize_paths if daemon is
chrooted.
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2017-Sep-04 21:23 UTC
[Bug 12817] [PATCH] Allow daemon itself to chroot
https://bugzilla.samba.org/show_bug.cgi?id=12817
Wayne Davison <wayned at samba.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #4 from Wayne Davison <wayned at samba.org> ---
Thanks for the patch! I've tweaked it a little bit and committed it to git.
--
You are receiving this mail because:
You are the QA Contact for the bug.
samba-bugs at samba.org
2017-Sep-04 21:30 UTC
[Bug 12817] [PATCH] Allow daemon itself to chroot
https://bugzilla.samba.org/show_bug.cgi?id=12817 --- Comment #5 from Ben RUBSON <ben.rubson at gmail.com> --- Many thanks Wayne for having reworked & merged it ! -- You are receiving this mail because: You are the QA Contact for the bug.
Seemingly Similar Threads
- [Bug 12819] New: [PATCH] sync() on receiving side for data consistency
- [Bug 12522] New: [PATCH] Send last error messages to sender
- [Bug 12498] New: --fuzzy --fuzzy hugely impacts performance even if its' not needed
- [Bug 12525] New: [PATCH] Avoid uploading whole file when transfer fails
- [Bug 10338] New: Start deletion from the top of the hierarchy