This patch adds the --munge-links option, which works like the daemon's "munge symlinks" parameter. To use this patch, run these commands for a successful build: patch -p1 0; ) diff --git a/pipe.c b/pipe.c --- a/pipe.c +++ b/pipe.c @@ -26,6 +26,7 @@ extern int am_sender; extern int am_server; extern int blocking_io; extern int filesfrom_fd; +extern int munge_symlinks; extern mode_t orig_umask; extern char *logfile_name; extern int remote_option_cnt; @@ -133,6 +134,7 @@ pid_t local_child(int argc, char **argv, int *f_in, int *f_out, am_sender = 0; am_server = 1; filesfrom_fd = -1; + munge_symlinks = 0; /* Each side needs its own option. */ chmod_modes = NULL; /* Let the sending side handle this. */ /* Let the client side handle this. */ diff --git a/rsync.h b/rsync.h --- a/rsync.h +++ b/rsync.h @@ -32,7 +32,7 @@ #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock" #define URL_PREFIX "rsync://" -#define SYMLINK_PREFIX "/rsyncd-munged/" +#define SYMLINK_PREFIX "/rsyncd-munged/" /* This MUST have a trailing slash! */ #define SYMLINK_PREFIX_LEN ((int)sizeof SYMLINK_PREFIX - 1) #define BACKUP_SUFFIX "~" diff --git a/rsync.yo b/rsync.yo --- a/rsync.yo +++ b/rsync.yo @@ -338,6 +338,7 @@ to the detailed description below for a complete description. verb( -L, --copy-links transform symlink into referent file/dir --copy-unsafe-links only "unsafe" symlinks are transformed --safe-links ignore symlinks that point outside the tree + --munge-links munge symlinks to make them safer -k, --copy-dirlinks transform symlink to dir into referent dir -K, --keep-dirlinks treat symlinked dir on receiver as dir -H, --hard-links preserve hard links @@ -795,6 +796,25 @@ which point outside the copied tree. All absolute symlinks are also ignored. Using this option in conjunction with bf(--relative) may give unexpected results. +dit(bf(--munge-links)) This option tells rsync to (1) modify all symlinks on +the receiving side in a way that makes them unusable but recoverable (see +below), or (2) to unmunge symlinks on the sending side that had been stored in +a munged state. This is useful if you don't quite trust the source of the data +to not try to slip in a symlink to a unexpected place. + +The way rsync disables the use of symlinks is to prefix each one with the +string "/rsyncd-munged/". This prevents the links from being used as long as +that directory does not exist. When this option is enabled, rsync will refuse +to run if that path is a directory or a symlink to a directory. + +The option only affects the client side of the transfer, so if you need it to +affect the server, specify it via bf(--remote-option). (Note that in a local +transfer, the client side is the sender.) + +This option has no affect on a daemon, since the daemon configures whether it +wants munged symlinks via its "munge symlinks" parameter. See also the +"munge-symlinks" perl script in the support directory of the source code. + dit(bf(-k, --copy-dirlinks)) This option causes the sending side to treat a symlink to a directory as though it were a real directory. This is useful if you don't want symlinks to non-directories to be affected, as diff --git a/rsyncd.conf.yo b/rsyncd.conf.yo --- a/rsyncd.conf.yo +++ b/rsyncd.conf.yo @@ -191,8 +191,9 @@ to translate names, and that it is not possible for a user to change those resources. dit(bf(munge symlinks)) This parameter tells rsync to modify -all incoming symlinks in a way that makes them unusable but recoverable -(see below). This should help protect your files from user trickery when +all symlinks in the same way as the (non-daemon-affecting) +bf(--munge-links) command-line option (using a method described below). +This should help protect your files from user trickery when your daemon module is writable. The default is disabled when "use chroot" is on and the inside-chroot path is "/", otherwise it is enabled.