[Bug 670015] [NEW] Scponly-full preventing rsync due to "-e" option

David Watson Tue, 02 Nov 2010 09:35:41 -0700

Public bug reported:

Binary package hint: scponly


Binary package hint: scponly-full

The package scponly-full that allows chrooted scponly access prevents
rsync from being used to transfer files, due to the presence of a "-e"
option.

Versions

$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04

$ apt-cache policy scponly-full
scponly-full:
  Installed: 4.8-4
  Candidate: 4.8-4
  Version table:
 *** 4.8-4 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

da...@ubuntu:~$ apt-cache policy rsync
rsync:
  Installed: 3.0.7-1ubuntu1
  Candidate: 3.0.7-1ubuntu1
  Version table:
 *** 3.0.7-1ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

Steps To Reproduce

Install clean VM of Lucid server, patch, install latest scponly-full and
then create a test scponly user. Unfortunately there is a bug in the
current Lucid scponly-full package that prevents this from working out
of the box, so had to follow the process and workaround documented in
bug 668366:

https://bugs.launchpad.net/ubuntu/+source/scponly/+bug/668366

Once scponly-full is working correctly, create some test content and try
copying the data to the scponly user's incoming directory:

cd ~
mkdir dir1
echo hello > dir1/file1
rsync -rvvvvvvvvv dir1 scponly-patc...@localhost:/incoming

Client output:

rsync -rvvvvvvvvv dir1 scponly-patc...@localhost:/incoming
FILE_STRUCT_LEN=24, EXTRA_LEN=4
cmd=<NULL> machine=localhost user=scponly-patched path=/incoming
cmd[0]=ssh cmd[1]=-l cmd[2]=scponly-patched cmd[3]=localhost cmd[4]=rsync 
cmd[5]=--server cmd[6]=-vvvvvvvvvre.iLsf cmd[7]=. cmd[8]=/incoming 
opening connection using: ssh -l scponly-patched localhost rsync --server 
-vvvvvvvvvre.iLsf . /incoming 
note: iconv_open("UTF-8", "UTF-8") succeeded.

Tailing server auth.log shows:

Nov  2 09:24:59 ubuntu sshd[1427]: Accepted password for scponly-patched from 
::1 port 36359 ssh2
Nov  2 09:24:59 ubuntu sshd[1427]: pam_unix(sshd:session): session opened for 
user scponly-patched by (uid=0)
Nov  2 09:24:59 ubuntu scponly[1443]: option 'e' or a related long option is 
not permitted for use with /usr/bin/rsync (arg was .iLsf) (username: 
scponly-patched(1002), IP/port: ::1 36359 22))
Nov  2 09:24:59 ubuntu scponly[1443]: requested command (/usr/bin/rsync 
--server -vvvvvvvvvre.iLsf . /incoming) tried to use disallowed argument 
(username: scponly-patched(1002), IP/port: ::1 36359 22))
Nov  2 09:24:59 ubuntu sshd[1442]: Received disconnect from ::1: 11: 
disconnected by user
Nov  2 09:24:59 ubuntu sshd[1427]: pam_unix(sshd:session): session closed for 
user scponly-patched

Enable more verbose debugging on the server:

echo 2 > /etc/scponly/debuglevel

Verbose client output:

da...@ubuntu:~$ rsync -rvvvvvvvvv dir1 scponly-patc...@localhost:/incoming
FILE_STRUCT_LEN=24, EXTRA_LEN=4
cmd=<NULL> machine=localhost user=scponly-patched path=/incoming
cmd[0]=ssh cmd[1]=-l cmd[2]=scponly-patched cmd[3]=localhost cmd[4]=rsync 
cmd[5]=--server cmd[6]=-vvvvvvvvvre.iLsf cmd[7]=. cmd[8]=/incoming 
opening connection using: ssh -l scponly-patched localhost rsync --server 
-vvvvvvvvvre.iLsf . /incoming 
note: iconv_open("UTF-8", "UTF-8") succeeded.
scponly-patc...@localhost's password: 
scponly[1516]: chrooted binary in place, will chroot()
scponly[1516]: 3 arguments in total.
scponly[1516]:  arg 0 is scponlyc
scponly[1516]:  arg 1 is -c
scponly[1516]:  arg 2 is rsync --server -vvvvvvvvvre.iLsf . /incoming
scponly[1516]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[1516]: determined USER is "scponly-patched" from environment
scponly[1516]: retrieved home directory of "/home/scponly-patched" for user 
"scponly-patched"
scponly[1516]: chrooting to dir: "/home/scponly-patched"
scponly[1516]: chdiring to dir: "/"
scponly[1516]: setting uid to 1002
scponly[1516]: processing request: "rsync --server -vvvvvvvvvre.iLsf . 
/incoming"
scponly[1516]: Using getopt processing for cmd /usr/bin/rsync
 (username: scponly-patched(1002), IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned '?' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: getopt processing returned 'e' (username: scponly-patched(1002), 
IP/port: ::1 36361 22)
scponly[1516]: option 'e' or a related long option is not permitted for use 
with /usr/bin/rsync (arg was .iLsf) (username: scponly-patched(1002), IP/port: 
::1 36361 22))
scponly[1516]: requested command (/usr/bin/rsync --server -vvvvvvvvvre.iLsf . 
/incoming) tried to use disallowed argument (username: scponly-patched(1002), 
IP/port: ::1 36361 22))
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
[sender] _exit_cleanup(code=12, file=io.c, line=601): entered
rsync error: error in rsync protocol data stream (code 12) at io.c(601) 
[sender=3.0.7]
[sender] _exit_cleanup(code=12, file=io.c, line=601): about to call exit(12)


Tailing verbose server auth.log shows:

Nov  2 09:26:40 ubuntu sshd[1500]: Accepted password for scponly-patched from 
::1 port 36361 ssh2
Nov  2 09:26:40 ubuntu sshd[1500]: pam_unix(sshd:session): session opened for 
user scponly-patched by (uid=0)
Nov  2 09:26:40 ubuntu scponly[1516]: chrooted binary in place, will chroot()
Nov  2 09:26:40 ubuntu scponly[1516]: 3 arguments in total.
Nov  2 09:26:40 ubuntu scponly[1516]: #011arg 0 is scponlyc
Nov  2 09:26:40 ubuntu scponly[1516]: #011arg 1 is -c
Nov  2 09:26:40 ubuntu scponly[1516]: #011arg 2 is rsync --server 
-vvvvvvvvvre.iLsf . /incoming
Nov  2 09:26:40 ubuntu scponly[1516]: opened log at LOG_AUTHPRIV, opts 
0x00000029
Nov  2 09:26:40 ubuntu scponly[1516]: determined USER is "scponly-patched" from 
environment
Nov  2 09:26:40 ubuntu scponly[1516]: retrieved home directory of 
"/home/scponly-patched" for user "scponly-patched"
Nov  2 09:26:40 ubuntu scponly[1516]: chrooting to dir: "/home/scponly-patched"
Nov  2 09:26:40 ubuntu scponly[1516]: chdiring to dir: "/"
Nov  2 09:26:40 ubuntu scponly[1516]: setting uid to 1002
Nov  2 09:26:40 ubuntu scponly[1516]: processing request: "rsync --server 
-vvvvvvvvvre.iLsf . /incoming"
Nov  2 09:26:40 ubuntu scponly[1516]: Using getopt processing for cmd 
/usr/bin/rsync#012 (username: scponly-patched(1002), IP/port: ::1 36361 22)
Nov  2 09:26:40 ubuntu scponly[1516]: getopt processing returned '?' (username: 
scponly-patched(1002), IP/port: ::1 36361 22)
Nov  2 09:26:40 ubuntu scponly[1516]: last message repeated 10 times
Nov  2 09:26:40 ubuntu scponly[1516]: getopt processing returned 'e' (username: 
scponly-patched(1002), IP/port: ::1 36361 22)
Nov  2 09:26:40 ubuntu scponly[1516]: option 'e' or a related long option is 
not permitted for use with /usr/bin/rsync (arg was .iLsf) (username: 
scponly-patched(1002), IP/port: ::1 36361 22))
Nov  2 09:26:40 ubuntu scponly[1516]: requested command (/usr/bin/rsync 
--server -vvvvvvvvvre.iLsf . /incoming) tried to use disallowed argument 
(username: scponly-patched(1002), IP/port: ::1 36361 22))
Nov  2 09:26:40 ubuntu sshd[1515]: Received disconnect from ::1: 11: 
disconnected by user
Nov  2 09:26:40 ubuntu sshd[1500]: pam_unix(sshd:session): session closed for 
user scponly-patched

It appears that the current versions of scponly-full and rsync are not
mutually compatible as shipped today (in addition to having broken
chrooting due to bug 668366).

** Affects: scponly (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Scponly-full preventing rsync due to "-e" option
https://bugs.launchpad.net/bugs/670015
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 670015] [NEW] Scponly-full preventing rsync due to "-e" option

Reply via email to