1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
|
http://rsync.samba.org/ftp/rsync/munge-symlinks-2.6.9.diff
http://bugs.gentoo.org/200821
--- rsync-2.6.9/clientserver.c 2006-10-23 17:36:42.000000000 -0700
+++ ./clientserver.c 2007-11-26 21:32:53.000000000 -0800
@@ -55,6 +55,7 @@ extern struct filter_list_struct server_
char *auth_user;
int read_only = 0;
int module_id = -1;
+int munge_symlinks = 0;
struct chmod_mode_struct *daemon_chmod_modes;
/* Length of lp_path() string when in daemon mode & not chrooted, else 0. */
@@ -524,6 +525,18 @@ static int rsync_module(int f_in, int f_
sanitize_paths = 1;
}
+ if ((munge_symlinks = lp_munge_symlinks(i)) < 0)
+ munge_symlinks = !use_chroot;
+ if (munge_symlinks) {
+ STRUCT_STAT st;
+ if (stat(SYMLINK_PREFIX, &st) == 0 && S_ISDIR(st.st_mode)) {
+ rprintf(FLOG, "Symlink munging is unsupported when a %s directory exists.\n",
+ SYMLINK_PREFIX);
+ io_printf(f_out, "@ERROR: daemon security issue -- contact admin\n", name);
+ exit_cleanup(RERR_UNSUPPORTED);
+ }
+ }
+
if (am_root) {
/* XXXX: You could argue that if the daemon is started
* by a non-root user and they explicitly specify a
--- rsync-2.6.9/flist.c 2006-10-13 18:17:36.000000000 -0700
+++ ./flist.c 2007-11-27 12:56:25.000000000 -0800
@@ -53,6 +53,7 @@ extern int copy_links;
extern int copy_unsafe_links;
extern int protocol_version;
extern int sanitize_paths;
+extern int munge_symlinks;
extern struct stats stats;
extern struct file_list *the_file_list;
@@ -174,6 +175,11 @@ static int readlink_stat(const char *pat
}
return do_stat(path, stp);
}
+ if (munge_symlinks && am_sender && llen > SYMLINK_PREFIX_LEN
+ && strncmp(linkbuf, SYMLINK_PREFIX, SYMLINK_PREFIX_LEN) == 0) {
+ memmove(linkbuf, linkbuf + SYMLINK_PREFIX_LEN,
+ llen - SYMLINK_PREFIX_LEN + 1);
+ }
}
return 0;
#else
@@ -591,6 +597,8 @@ static struct file_struct *receive_file_
linkname_len - 1);
overflow_exit("receive_file_entry");
}
+ if (munge_symlinks)
+ linkname_len += SYMLINK_PREFIX_LEN;
}
else
#endif
@@ -658,10 +666,17 @@ static struct file_struct *receive_file_
#ifdef SUPPORT_LINKS
if (linkname_len) {
file->u.link = bp;
+ if (munge_symlinks) {
+ strlcpy(bp, SYMLINK_PREFIX, linkname_len);
+ bp += SYMLINK_PREFIX_LEN;
+ linkname_len -= SYMLINK_PREFIX_LEN;
+ }
read_sbuf(f, bp, linkname_len - 1);
- if (sanitize_paths)
+ if (sanitize_paths && !munge_symlinks) {
sanitize_path(bp, bp, "", lastdir_depth, NULL);
- bp += linkname_len;
+ bp += strlen(bp) + 1;
+ } else
+ bp += linkname_len;
}
#endif
--- rsync-2.6.9/loadparm.c 2006-10-12 23:49:44.000000000 -0700
+++ ./loadparm.c 2007-11-26 11:46:46.000000000 -0800
@@ -153,6 +153,7 @@ typedef struct
BOOL ignore_errors;
BOOL ignore_nonreadable;
BOOL list;
+ BOOL munge_symlinks;
BOOL read_only;
BOOL strict_modes;
BOOL transfer_logging;
@@ -200,6 +201,7 @@ static service sDefault =
/* ignore_errors; */ False,
/* ignore_nonreadable; */ False,
/* list; */ True,
+ /* munge_symlinks; */ (BOOL)-1,
/* read_only; */ True,
/* strict_modes; */ True,
/* transfer_logging; */ False,
@@ -313,6 +315,7 @@ static struct parm_struct parm_table[] =
{"log format", P_STRING, P_LOCAL, &sDefault.log_format, NULL,0},
{"max connections", P_INTEGER,P_LOCAL, &sDefault.max_connections, NULL,0},
{"max verbosity", P_INTEGER,P_LOCAL, &sDefault.max_verbosity, NULL,0},
+ {"munge symlinks", P_BOOL, P_LOCAL, &sDefault.munge_symlinks, NULL,0},
{"name", P_STRING, P_LOCAL, &sDefault.name, NULL,0},
{"outgoing chmod", P_STRING, P_LOCAL, &sDefault.outgoing_chmod, NULL,0},
{"path", P_PATH, P_LOCAL, &sDefault.path, NULL,0},
@@ -415,6 +418,7 @@ FN_LOCAL_INTEGER(lp_timeout, timeout)
FN_LOCAL_BOOL(lp_ignore_errors, ignore_errors)
FN_LOCAL_BOOL(lp_ignore_nonreadable, ignore_nonreadable)
FN_LOCAL_BOOL(lp_list, list)
+FN_LOCAL_BOOL(lp_munge_symlinks, munge_symlinks)
FN_LOCAL_BOOL(lp_read_only, read_only)
FN_LOCAL_BOOL(lp_strict_modes, strict_modes)
FN_LOCAL_BOOL(lp_transfer_logging, transfer_logging)
--- rsync-2.6.9/proto.h 2006-11-06 20:39:47.000000000 -0800
+++ ./proto.h 2007-11-27 13:15:23.000000000 -0800
@@ -176,6 +176,7 @@ int lp_timeout(int );
BOOL lp_ignore_errors(int );
BOOL lp_ignore_nonreadable(int );
BOOL lp_list(int );
+BOOL lp_munge_symlinks(int );
BOOL lp_read_only(int );
BOOL lp_strict_modes(int );
BOOL lp_transfer_logging(int );
--- rsync-2.6.9/rsync.h 2006-10-23 20:31:30.000000000 -0700
+++ ./rsync.h 2007-11-26 21:34:11.000000000 -0800
@@ -33,6 +33,9 @@
#define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock"
#define URL_PREFIX "rsync://"
+#define SYMLINK_PREFIX "/rsyncd-munged/"
+#define SYMLINK_PREFIX_LEN ((int)sizeof SYMLINK_PREFIX - 1)
+
#define BACKUP_SUFFIX "~"
/* a non-zero CHAR_OFFSET makes the rolling sum stronger, but is
--- rsync-2.6.9/rsyncd.conf.5 2006-11-06 20:39:52.000000000 -0800
+++ ./rsyncd.conf.5 2007-11-27 13:15:23.000000000 -0800
@@ -145,12 +145,15 @@ the advantage of extra protection agains
holes, but it has the disadvantages of requiring super-user privileges,
of not being able to follow symbolic links that are either absolute or outside
of the new root path, and of complicating the preservation of usernames and groups
-(see below)\&. When "use chroot" is false, for security reasons,
-symlinks may only be relative paths pointing to other files within the root
-path, and leading slashes are removed from most absolute paths (options
-such as \fB\-\-backup\-dir\fP, \fB\-\-compare\-dest\fP, etc\&. interpret an absolute path as
-rooted in the module\&'s "path" dir, just as if chroot was specified)\&.
-The default for "use chroot" is true\&.
+(see below)\&. When "use chroot" is false, rsync will: (1) munge symlinks by
+default for security reasons (see "munge symlinks" for a way to turn this
+off, but only if you trust your users), (2) substitute leading slashes in
+absolute paths with the module\&'s path (so that options such as
+\fB\-\-backup\-dir\fP, \fB\-\-compare\-dest\fP, etc\&. interpret an absolute path as
+rooted in the module\&'s "path" dir), and (3) trim "\&.\&." path elements from
+args if rsync believes they would escape the chroot\&.
+The default for "use chroot" is true, and is the safer choice (especially
+if the module is not read-only)\&.
.IP
In order to preserve usernames and groupnames, rsync needs to be able to
use the standard library functions for looking up names and IDs (i\&.e\&.
@@ -181,6 +184,41 @@ access to some of the excluded files ins
do this automatically, but you might as well specify both to be extra
sure)\&.
.IP
+.IP "\fBmunge symlinks\fP"
+The "munge symlinks" option tells rsync to modify
+all incoming symlinks in a way that makes them unusable but recoverable
+(see below)\&. This should help protect your files from user trickery when
+your daemon module is writable\&. The default is disabled when "use chroot"
+is on and enabled when "use chroot" is off\&.
+.IP
+If you disable this option on a daemon that is not read-only, there
+are tricks that a user can play with uploaded symlinks to access
+daemon-excluded items (if your module has any), and, if "use chroot"
+is off, rsync can even be tricked into showing or changing data that
+is outside the module\&'s path (as access-permissions allow)\&.
+.IP
+The way rsync disables the use of symlinks is to prefix each one with
+the string "/rsyncd-munged/"\&. This prevents the links from being used
+as long as that directory does not exist\&. When this option is enabled,
+rsync will refuse to run if that path is a directory or a symlink to
+a directory\&. When using the "munge symlinks" option in a chroot area,
+you should add this path to the exclude setting for the module so that
+the user can\&'t try to create it\&.
+.IP
+Note: rsync makes no attempt to verify that any pre-existing symlinks in
+the hierarchy are as safe as you want them to be\&. If you setup an rsync
+daemon on a new area or locally add symlinks, you can manually protect your
+symlinks from being abused by prefixing "/rsyncd-munged/" to the start of
+every symlink\&'s value\&. There is a perl script in the support directory
+of the source code named "munge-symlinks" that can be used to add or remove
+this prefix from your symlinks\&.
+.IP
+When this option is disabled on a writable module and "use chroot" is off,
+incoming symlinks will be modified to drop a leading slash and to remove "\&.\&."
+path elements that rsync believes will allow a symlink to escape the module\&'s
+hierarchy\&. There are tricky ways to work around this, though, so you had
+better trust your users if you choose this combination of options\&.
+.IP
.IP "\fBmax connections\fP"
The "max connections" option allows you to
specify the maximum number of simultaneous connections you will allow\&.
--- rsync-2.6.9/rsyncd.conf.yo 2006-11-06 20:39:47.000000000 -0800
+++ ./rsyncd.conf.yo 2007-11-27 13:14:07.000000000 -0800
@@ -129,12 +129,15 @@ the advantage of extra protection agains
holes, but it has the disadvantages of requiring super-user privileges,
of not being able to follow symbolic links that are either absolute or outside
of the new root path, and of complicating the preservation of usernames and groups
-(see below). When "use chroot" is false, for security reasons,
-symlinks may only be relative paths pointing to other files within the root
-path, and leading slashes are removed from most absolute paths (options
-such as bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as
-rooted in the module's "path" dir, just as if chroot was specified).
-The default for "use chroot" is true.
+(see below). When "use chroot" is false, rsync will: (1) munge symlinks by
+default for security reasons (see "munge symlinks" for a way to turn this
+off, but only if you trust your users), (2) substitute leading slashes in
+absolute paths with the module's path (so that options such as
+bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as
+rooted in the module's "path" dir), and (3) trim ".." path elements from
+args if rsync believes they would escape the chroot.
+The default for "use chroot" is true, and is the safer choice (especially
+if the module is not read-only).
In order to preserve usernames and groupnames, rsync needs to be able to
use the standard library functions for looking up names and IDs (i.e.
@@ -158,6 +161,40 @@ access to some of the excluded files ins
do this automatically, but you might as well specify both to be extra
sure).
+dit(bf(munge symlinks)) The "munge symlinks" option tells rsync to modify
+all incoming symlinks in a way that makes them unusable but recoverable
+(see below). This should help protect your files from user trickery when
+your daemon module is writable. The default is disabled when "use chroot"
+is on and enabled when "use chroot" is off.
+
+If you disable this option on a daemon that is not read-only, there
+are tricks that a user can play with uploaded symlinks to access
+daemon-excluded items (if your module has any), and, if "use chroot"
+is off, rsync can even be tricked into showing or changing data that
+is outside the module's path (as access-permissions allow).
+
+The way rsync disables the use of symlinks is to prefix each one with
+the string "/rsyncd-munged/". This prevents the links from being used
+as long as that directory does not exist. When this option is enabled,
+rsync will refuse to run if that path is a directory or a symlink to
+a directory. When using the "munge symlinks" option in a chroot area,
+you should add this path to the exclude setting for the module so that
+the user can't try to create it.
+
+Note: rsync makes no attempt to verify that any pre-existing symlinks in
+the hierarchy are as safe as you want them to be. If you setup an rsync
+daemon on a new area or locally add symlinks, you can manually protect your
+symlinks from being abused by prefixing "/rsyncd-munged/" to the start of
+every symlink's value. There is a perl script in the support directory
+of the source code named "munge-symlinks" that can be used to add or remove
+this prefix from your symlinks.
+
+When this option is disabled on a writable module and "use chroot" is off,
+incoming symlinks will be modified to drop a leading slash and to remove ".."
+path elements that rsync believes will allow a symlink to escape the module's
+hierarchy. There are tricky ways to work around this, though, so you had
+better trust your users if you choose this combination of options.
+
dit(bf(max connections)) The "max connections" option allows you to
specify the maximum number of simultaneous connections you will allow.
Any clients connecting when the maximum has been reached will receive a
--- rsync-2.6.9/support/munge-symlinks 1969-12-31 16:00:00.000000000 -0800
+++ ./support/munge-symlinks 2007-11-26 22:04:26.000000000 -0800
@@ -0,0 +1,60 @@
+#!/usr/bin/perl
+# This script will either prefix all symlink values with the string
+# "/rsyncd-munged/" or remove that prefix.
+
+use strict;
+use Getopt::Long;
+
+my $SYMLINK_PREFIX = '/rsyncd-munged/';
+
+my $munge_opt;
+
+&GetOptions(
+ 'munge' => sub { $munge_opt = 1 },
+ 'unmunge' => sub { $munge_opt = 0 },
+ 'all' => \( my $all_opt ),
+ 'help|h' => \( my $help_opt ),
+) or &usage;
+
+&usage if $help_opt || !defined $munge_opt;
+
+my $munged_re = $all_opt ? qr/^($SYMLINK_PREFIX)+(?=.)/ : qr/^$SYMLINK_PREFIX(?=.)/;
+
+push(@ARGV, '.') unless @ARGV;
+
+open(PIPE, '-|', 'find', @ARGV, '-type', 'l') or die $!;
+
+while (<PIPE>) {
+ chomp;
+ my $lnk = readlink($_) or next;
+ if ($munge_opt) {
+ next if !$all_opt && $lnk =~ /$munged_re/;
+ $lnk =~ s/^/$SYMLINK_PREFIX/;
+ } else {
+ next unless $lnk =~ s/$munged_re//;
+ }
+ if (!unlink($_)) {
+ warn "Unable to unlink symlink: $_ ($!)\n";
+ } elsif (!symlink($lnk, $_)) {
+ warn "Unable to recreate symlink: $_ -> $lnk ($!)\n";
+ } else {
+ print "$_ -> $lnk\n";
+ }
+}
+
+close PIPE;
+exit;
+
+sub usage
+{
+ die <<EOT;
+Usage: munge-symlinks --munge|--unmunge [--all] [DIR|SYMLINK...]
+
+--munge Add the $SYMLINK_PREFIX prefix to symlinks if not already
+ present, or always when combined with --all.
+--unmunge Remove one $SYMLINK_PREFIX prefix from symlinks or all
+ such prefixes with --all.
+
+See the "munge symlinks" option in the rsyncd.conf manpage for more details.
+EOT
+}
--- rsync-2.6.9/testsuite/rsync.fns 2006-05-30 11:26:17.000000000 -0700
+++ ./testsuite/rsync.fns 2007-11-26 11:49:35.000000000 -0800
@@ -231,6 +231,7 @@ build_rsyncd_conf() {
pid file = $pidfile
use chroot = no
+munge symlinks = no
hosts allow = localhost 127.0.0.1 $hostname
log file = $logfile
log format = %i %h [%a] %m (%u) %l %f%L
|
GitWeb