[Bug 15122] New: Potential vulnerability: rsync creates files outside the target directory
https://bugzilla.samba.org/show_bug.cgi?id=15122 Bug ID: 15122 Summary: Potential vulnerability: rsync creates files outside the target directory Product: rsync Version: 3.2.0 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: core Assignee: wa...@opencoder.net Reporter: azb...@psu.edu QA Contact: rsync...@samba.org Target Milestone: --- Created attachment 17422 --> https://bugzilla.samba.org/attachment.cgi?id=17422=edit POC of vulnerability The problem arises when trying to copy from a "case-sensitive" source to a "case-insensitive" target. The copy involves directories, files, and symbolic links (to directories). A maliciously crafted source directory can result in rsync following symbolic links and writing data outside the target directory. For a concrete example, consider the following source directory structure: SRC/ topdir/ secret (symlink to /tmp) TOPDIR/ secret/ config (file) We use rsync to recursively copy from SRC/ to TARGET/. Command: "rsync -a SRC/ TARGET/" Additionally, TARGET/ is on case-insensitive filesystem. Problem: During the copy, rsync creates the TOPDIR/secret/config (file) by following the symbolic link "topdir/secret". Hence, /tmp/config is created by rsync. We found a flag called: --copy-links which makes rsync follow symlinks at source before doing the copy. However, my understanding is that rsync should not follow symbolic links at the target, esp. the symbolic links it creates. I have attached a POC script that demonstrates this behavior. I have tested it on rsync versions 3.2.3 and 3.1.3. Compiling the latest version (3.2.4) of rsync results in an error during the ./configure step. Hence, I could not test it. Running Proof of concept script: The script requires two command line arguments: - Argument 1 = any empty case-sensitive directory - Argument 2 = any empty case-insensitive directory Example of invoking script for WSL: ./rsync-poc.sh ~/src /mnt/c/Users/xyz/dst -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Re: do I always have to use either --checksum or --times ?
You should almost never use --checksum. It is slower than just re-copying everything. You should almost always use --times (or --archive which includes --times). Without this rsync is almost as dumb as cp. Also, ssh has been the default --ssh for a long time. On 7/14/22 04:22, Fourhundred Thecat via rsync wrote: Hello, I want to sync local folder to remote server. When I run follwing command repeatedly, it always transfers everything each time again and again: rsync --rsh='ssh' foo/ server:/foo/ does it mean I have to always use either --checksum or --times, to prevent repeated transfer of files that have not changed ? thank you, -- ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., Kevin Korb Phone:(407) 252-6853 Systems Administrator Internet: FutureQuest, Inc. ke...@futurequest.net (work) Orlando, Floridak...@sanitarium.net (personal) Web page: https://sanitarium.net/ PGP public key available on web site. ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._., -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
do I always have to use either --checksum or --times ?
Hello, I want to sync local folder to remote server. When I run follwing command repeatedly, it always transfers everything each time again and again: rsync --rsh='ssh' foo/ server:/foo/ does it mean I have to always use either --checksum or --times, to prevent repeated transfer of files that have not changed ? thank you, -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
