Re: --partial-dir=DIR

Fri, 23 Jul 2004 15:36:20 -0700 

I put a diff in the patches dir that implements the --partial-dir=DIR
option:

    http://rsync.samba.org/ftp/unpacked/rsync/patches/partial-dir.diff

This patch does not try to create the DIR unless it needs to use it to
store a partial file -- i.e. it doesn't change the behavior of the
writing of the temp file (specify --temp-dir for that).

If you specify a relative DIR value it creates the dir in the partial
file's parent dir.

If we use a file from the DIR as the basis file, it is removed when
we're done reading it.  Also, if the DIR value is relative, we would
(attempt to) remove the DIR too.

On Fri, Jul 23, 2004 at 03:07:00PM +1200, Jason Haar wrote:
> Sanity checks could include:
> 
> a. deleting temp file if it's date is different than src file (means
>    something weird has happened, so assume it's not there and start 
>    from scratch)

I didn't do this.  Intelligently choosing between the file in the
partial DIR and the normal destination file could be something added
later.  The current code just chooses the partial file if it is there.

> b. --partial-dir should have to be part of the dst tree - otherwise you
>    potentially have a security risk. e.g. "--partial-dir /tmp" would mean
>    someone could create /tmp/etc/passwd and you could end up overwriting your
>    /etc/passwd file

It doesn't have to be inside the destination tree, but it should be
secure (as you say "/tmp" is not a good choice) and it should be on the
same partition (so that a rename works).  I think that using a relative
directory should be safe:

    rsync -av --partial-dir=.partial-rsync host:/from/ /to

The current code doesn't double-check to ensure that the .partial-rsync
entry isn't really a symlink to some other directory, so that should be
added.  Someone creating their own .partial-rsync subdir and putting a
symlink to /etc/passwd in it (behind your back) wouldn't do anything bad
since rsync would rename a partial file over the symlink, not write to
it.  Perhaps the code should also refuse to use the partial dir if it is
not owned by the current user and mode 0700 (which is what the dir would
be if rsync created it).

..wayne..
-- 
To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Reply via email to