Re: Why is -e sent to the remote rsync side?

Sun, 05 Oct 2008 15:31:03 -0700 

On Sun, Oct 05, 2008 at 06:47:47AM +0200, Shachar Shemesh wrote:
> The reason this is brought up is because I'm using rssh
> (http://www.pizzashack.org/rssh/) as the user's shell to limit that
> user to only be allowed to run rsync.

I looked at the source, and created a patch to make it just require the
--server option as the first option.

While I was looking at the code, I noticed that the check_command()
function was busted in that it would accept any abbreviated path of a
command (e.g. "/usr/bin/rs" would match "/usr/bin/rsync").  The author
apparently didn't know that strncmp() stops at a null (unlike memcmp()),
so the length-trimming that is done can just be removed.  My patch fixes
that too.

..wayne..

--- a/util.c	2006-01-03 09:37:39 -0800
+++ b/util.c	2008-10-05 15:23:06 -0700
@@ -171,10 +171,6 @@ bool check_command( char *cl, ShellOptio
 		progname = basename(cmd);
 		altlen = strlen(progname);
 
-		/* make sure we don't compare more of the string than exists */
-		if ( cl_len < len ) len = cl_len;
-		if ( cl_len < altlen ) altlen = cl_len;
-
 		/* compare for match */
 		if ( (!(strncmp(cl, cmd, len)) && 
 					((isspace(cl[len]) || cl[len] == '\0')))
@@ -229,19 +225,16 @@ char *check_command_line( char *cl, Shel
 	}
 
 	if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
-		/* filter -e option */
-		if ( opt_exist(cl, 'e') ){
-			fprintf(stderr, "\ninsecure -e option not allowed.");
-			log_msg("insecure -e option in rdist command line!");
+		/* --server option must be the first option */
+		char *cp = cl;
+		while (*cp && !isspace(*cp)) cp++;
+		while (isspace(*cp)) cp++;
+		if ( strncmp(cp, "--server", 8) != 0 || !isspace(cp[8]) ){
+			fprintf(stderr, "\ninvalid rsync-server command.");
+			log_msg("invalid rsync-server command!");
 			return NULL;
 		}
 		
-		if ( strstr(cl, "--rsh=" ) ){
-			fprintf(stderr, "\ninsecure --rsh= not allowed.");
-			log_msg("insecure --rsh option in rsync command line!");
-			return NULL;
-		}
-
 		return PATH_RSYNC;
 	}
 

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Reply via email to