---------- Forwarded message ----------
From: Russ Allbery <[EMAIL PROTECTED]>
Date: Fri, Aug 22, 2008 at 6:59 PM
Subject: Re: rssh package - patch to add rsync v3 support
To: Martin Langhoff <[EMAIL PROTECTED]>
Cc: Rahul Sundaram <[EMAIL PROTECTED]>, Debarshi Ray
<[EMAIL PROTECTED]>, Jesus Climent <[EMAIL PROTECTED]>,
XS Devel <server-devel@lists.laptop.org>, [EMAIL PROTECTED]
> It looks a much better cleanup of Rob's patch than mine. So if Rahul
> wants to include the patch, I'd suggest using yours instead of mine.
> And avoiding divergence on these little things is always a good idea.
For the record, and to save some effort, here's the patch attached. I'm
not *completely* sure the check performed is entirely safe, but I stared
at it a lot and couldn't figure out what would break it.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
[EMAIL PROTECTED]
[EMAIL PROTECTED] -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
As of rsync 3, rsync reused the -e option to pass protocol information
from the client to the server. We therefore cannot reject all -e
options to rsync, only ones not sent with --server or containing
something other than protocol information as an argument.
Based on work by Robert Hardy.
Debian Bug#471803
--- rssh.orig/util.c
+++ rssh/util.c
@@ -56,6 +56,7 @@
#ifdef HAVE_LIBGEN_H
#include <libgen.h>
#endif /* HAVE_LIBGEN_H */
+#include <regex.h>
/* LOCAL INCLUDES */
#include "pathnames.h"
@@ -187,6 +188,33 @@
}
/*
+ * check_rsync_e() - take the command line passed to rssh and look for a -e
+ * option. If one is found, make sure --server is provided
+ * and the option contains only the protocol information.
+ * Returns 1 if the command line is safe; 0 otherwise.
+ */
+static int check_rsync_e( char *cl )
+{
+ int status;
+ regex_t re;
+
+ /*
+ * This is more complicated than it looks because we don't want to
+ * trigger on the e in --server, but we do want to catch the common
+ * case of -ltpre.iL (which contains -e.).
+ */
+ static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
+
+ if ( strstr(cl, "--server") == NULL ) return 0;
+ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
+ return 0;
+ }
+ status = regexec(&re, cl, 0, NULL, 0);
+ regfree(&re);
+ return (status == 0) ? 0 : 1;
+}
+
+/*
* check_command_line() - take the command line passed to rssh, and verify
* that the specified command is one the user is
* allowed to run. Return the path of the command
@@ -230,9 +258,9 @@
if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
/* filter -e option */
- if ( opt_exist(cl, 'e') ){
+ if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
fprintf(stderr, "\ninsecure -e option not allowed.");
- log_msg("insecure -e option in rdist command line!");
+ log_msg("insecure -e option in rsync command line!");
return NULL;
}
_______________________________________________
Server-devel mailing list
Server-devel@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel
