[contribteam] [Bug 9683] anonymous access on share - broken dangerous behaviour

[bugzilla-daemon]

==================================================================
  Please DO NOT REPLY to this mail or send email to the developers
  about this bug. Please follow-up to Bugzilla using this link:
    https://bugs.contribs.org/show_bug.cgi?id=9683

  Have you checked the Frequently Asked Questions (FAQ)?
    http://wiki.contribs.org/SME_Server:Documentation:FAQ

  Please also take the time to read the following useful guide:
    http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
==================================================================

            Bug ID: 9683
           Summary: anonymous access on share - broken dangerous behaviour
    Classification: Contribs
           Product: SME Contribs
           Version: 9.0
          Hardware: ---
                OS: ---
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-rsync
          Assignee: jcr...@safeandsoundit.co.uk
          Reporter: te...@pialasse.com
        QA Contact: contribteam@lists.contribs.org

the access permission are not well handled and leave access to any shared
folder with anonymous access set enabled ( while anonymous access could be set
there only for http, but you might not want a free browsing of sourcecode  with
rsync and ftp ...

also disabling rsyncd from the contribs does not seems to work

and the setting global /local seems without purpose or is broken.

as a result it is dangerous to have shared-folder and smeserver-rsync installed
at the same time on the same server as it will give full access to your shahres
if you try to give access to at least http in this folder.

=======================TEST=========
when rsyncd is set enabled

from localhost
# rsync localhost::toto
drwxrwx---          4,096 2016/07/20 23:39:31 .
drwxrwx---          4,096 2016/07/20 23:39:31 Recycle Bin
# rsync 192.168.80.49::toto
drwxrwx---          4,096 2016/07/20 23:39:31 .
drwxrwx---          4,096 2016/07/20 23:39:31 Recycle Bin


from remotehost on same network
# rsync 192.168.80.49::toto
drwxrwx---          4,096 2016/07/20 23:39:31 .
drwxrwx---          4,096 2016/07/20 23:39:31 Recycle Bin




when rsyncd is set disabled

from localhost
# rsync localhost::toto
@ERROR: access denied to toto from localhost (127.0.0.1)
rsync error: error starting client-server protocol (code 5) at main.c(1635)
[Receiver=3.1.1]
# rsync 192.168.80.49::toto
drwxrwx---          4,096 2016/07/20 23:39:31 .
drwxrwx---          4,096 2016/07/20 23:39:31 Recycle Bin


from remotehost on same network
# rsync 192.168.80.49::toto
drwxrwx---          4,096 2016/07/20 23:39:31 .
drwxrwx---          4,096 2016/07/20 23:39:31 Recycle Bin



this wether the shared is set local or global

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/