Thanks Russ. I should really put up a FAQ about this, so you don't have to keep answering this question... =8^)
[Though, if people would just take a moment to actually search for the answer...] http://lmgtfy.com/?q=rssh+rsync+3 -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0x81CFE75D On Tue, Sep 24, 2013 at 12:46:21PM -0700, Russ Allbery wrote: > Andrew Daviel <ad...@triumf.ca> writes: > > > We have a server with rssh-2.2.3 on CentOS 3, and tried connecting with > > rsync-3.0.6 from CentOS 5. > > > I get "insecure -e option not allowed". > > When I look a the source for rsync, I find it's adding "-e.s" for some > > reason but I can fix that by using --protocol=26. > > > I tried building the current version of rssh (2.3.4-1) thinking that maybe > > the problem was fixed. But it's actually worse. > > > I don't know why rsync is sending "--sender" etc., but it's the standard > > RedHat version of rsync. I'm guessing that rssh is not parsing long options > > properly and is just finding 'e' in --server. > > > Seeing as rsync is one of the documented commands that works with rssh, > > I'm wondering what's going on. > > I see that Sourceforge has completely broken their mailing list archives > so that you can't retrieve the content of previous list messages or I > would point you at the previous discussion of this. > > You need patches in order to work with the latest rsync. They reused the > -e option in a very unfortunate way to specify protocol information, and > it's quite tricky to ensure that the running command is still secure. > > Debian (and I believe some others) are using the attached, which is > against 2.3.4. (I would point you to the Debian patch tracker, but it's > down at the moment; the link at: > > http://patch-tracker.debian.org/package/rssh/2.3.3-6 > > has the patch set against 2.3.3, which includes the security fix in 2.3.4, > but that's not as clean as the patches based on 2.3.4 directly.) > > -- > Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> > > From: Russ Allbery <r...@stanford.edu> > Subject: [PATCH] Handle the rsync v3 -e option for protocol information > > As of rsync 3, rsync reused the -e option to pass protocol information > from the client to the server. We therefore cannot reject all -e > options to rsync, only ones not sent with --server or containing > something other than protocol information as an argument. > > Also scan the rsync command line for any --rsh option and reject it as > well. This replaces and improves the upstream strategy for rejecting > that command-line option, taking advantage of the parsing added to > check the -e option. > > Based on work by Robert Hardy. > > Debian Bug#471803 > > Signed-off-by: Russ Allbery <r...@stanford.edu> > > --- > util.c | 80 > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++------- > 1 file changed, 72 insertions(+), 8 deletions(-) > > diff --git a/util.c b/util.c > index f98d2bc..a257b06 100644 > --- a/util.c > +++ b/util.c > @@ -56,6 +56,7 @@ > #ifdef HAVE_LIBGEN_H > #include <libgen.h> > #endif /* HAVE_LIBGEN_H */ > +#include <regex.h> > > /* LOCAL INCLUDES */ > #include "pathnames.h" > @@ -198,6 +199,73 @@ bool check_command( char *cl, ShellOptions_t *opts, char > *cmd, int cmdflag ) > > > /* > + * rsync_e_okay() - take the command line passed to rssh and look for an -e > + * option. If one is found, make sure --server is provided > + * and the option contains only the protocol information. > + * Also check for and reject any --rsh option. Returns FALSE > + * if the command line should not be allowed, TRUE if it is > + * okay. > + */ > +static int rsync_e_okay( char **vec ) > +{ > + regex_t re; > + int server = FALSE; > + int e_found = FALSE; > + > + /* > + * rsync will send -e, followed by either just "." (meaning no special > + * protocol) or "N.N" (meaning a pre-release protocol version), > + * followed by some number of alphabetic flags indicating various > + * supported options. There may be other options between - and the e, > + * but -e will always be the last option in the string. A typical > + * option passed by the client is "-ltpre.iL". > + * > + * Note that if --server is given, this should never be parsed as a > + * shell, but we'll tightly verify it anyway, just in case. > + * > + * This regex matches the acceptable flags containing -e, so if it > + * does not match, the command line should be rejected. > + */ > + static const char pattern[] > + = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$"; > + > + /* > + * Only recognize --server if it's the first option. rsync itself > + * always passes it that way, and if it's not the first argument, it > + * could be hidden from the server as an argument to some other > + * option. > + */ > + if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){ > + server = TRUE; > + } > + > + /* Check the remaining options for -e or --rsh. */ > + if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ > + return FALSE; > + } > + while (vec && *vec){ > + if ( strcmp(*vec, "--") == 0 ) break; > + if ( strcmp(*vec, "--rsh") == 0 > + || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){ > + regfree(&re); > + return FALSE; > + } > + if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){ > + e_found = TRUE; > + if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){ > + regfree(&re); > + return FALSE; > + } > + } > + vec++; > + } > + regfree(&re); > + if ( e_found && !server ) return FALSE; > + return TRUE; > +} > + > + > +/* > * check_command_line() - take the command line passed to rssh, and verify > * that the specified command is one the user is > * allowed to run and validate the arguments. Return the > @@ -230,14 +298,10 @@ char *check_command_line( char **cl, ShellOptions_t > *opts ) > > if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ > /* filter -e option */ > - if ( opt_filter(cl, 'e') ) return NULL; > - while (cl && *cl){ > - if ( strstr(*cl, "--rsh" ) ){ > - fprintf(stderr, "\ninsecure --rsh= not > allowed."); > - log_msg("insecure --rsh option in rsync command > line!"); > - return NULL; > - } > - cl++; > + if ( !rsync_e_okay(cl) ){ > + fprintf(stderr, "\ninsecure -e or --rsh option not > allowed."); > + log_msg("insecure -e or --rsh option in rsync command > line!"); > + return NULL; > } > return PATH_RSYNC; > } > -- > tg: (f8b36e2..) fixes/rsync-protocol (depends on: upstream) > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > rssh-discuss mailing list > rssh-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rssh-discuss
pgpfk3CPm0GYF.pgp
Description: PGP signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________ rssh-discuss mailing list rssh-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rssh-discuss
