Hi security-fellows, I applied recent rssh security updates to Debian 8 (jessie) and I noticed that it breaks Synology's "Hyper backup" tool (with rsync method).
The relevant log lines at my Debian server: Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync command line! Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute forbidden commands Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon . Is it really unsafe to issue a "rsync --server --daemon ." command so it deserves to be blocked?` PS: OS info: root@roman:~# cat /etc/debian_version 8.11 root@roman:~# dpkg -l rssh Deseado=desconocido(U)/Instalar/eliminaR/Purgar/retener(H) | Estado=No/Inst/ficheros-Conf/desempaqUetado/medio-conF/medio-inst(H)/espera-disparo(W)/pendienTe-disparo |/ Err?=(ninguno)/requiere-Reinst (Estado,Err: mayúsc.=malo) ||/ Nombre Versión Arquitectura Descripción +++-=====================================-=======================-=======================-================================================================================ ii rssh 2.3.4-4+deb8u2 amd64 Restricted shell allowing scp, sftp, cvs, svn, rsync or rdist PS2: I'm not suscribed to LTS-list, but I guess the problem may be both in stable and oldstable versions. Cheers, -Román
