X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/1d8638ce868edf570b1195999f57bc8516c49e5b..9585b27678ee8b94f2f260e8d8d61ff4381f2fa3:/rsyncd.conf.yo diff --git a/rsyncd.conf.yo b/rsyncd.conf.yo index f12985e7..052ccc7e 100644 --- a/rsyncd.conf.yo +++ b/rsyncd.conf.yo @@ -1,5 +1,5 @@ mailto(rsync-bugs@samba.org) -manpage(rsyncd.conf)(5)(26 Oct 2007)()() +manpage(rsyncd.conf)(5)(8 Nov 2007)()() manpagename(rsyncd.conf)(configuration file for rsync in daemon mode) manpagesynopsis() @@ -130,12 +130,15 @@ the advantage of extra protection against possible implementation security holes, but it has the disadvantages of requiring super-user privileges, of not being able to follow symbolic links that are either absolute or outside of the new root path, and of complicating the preservation of usernames and groups -(see below). When "use chroot" is false, for security reasons, -symlinks may only be relative paths pointing to other files within the root -path, and leading slashes are removed from most absolute paths (options -such as bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as -rooted in the module's "path" dir, just as if chroot was specified). -The default for "use chroot" is true. +(see below). When "use chroot" is false, rsync will: (1) munge symlinks by +default for security reasons (see "munge symlinks" for a way to turn this +off, but only if you trust your users), (2) substitute leading slashes in +absolute paths with the module's path (so that options such as +bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as +rooted in the module's "path" dir), and (3) trim ".." path elements from +args if rsync believes they would escape the chroot. +The default for "use chroot" is true, and is the safer choice (especially +if the module is not read-only). In order to preserve usernames and groupnames, rsync needs to be able to use the standard library functions for looking up names and IDs (i.e. @@ -159,6 +162,34 @@ access to some of the excluded files inside the directory (rsync tries to do this automatically, but you might as well specify both to be extra sure). +dit(bf(munge symlinks)) The "munge symlinks" option tells rsync to modify +all incoming symlinks in a way that makes them unusable but recoverable +(see below). This should help protect your files from user trickery when +your daemon module is writable. The default is disabled when "use chroot" +is on and enabled when "use chroot" is off. + +If you disable this option on a daemon that is not read-only, there +are tricks that a user can play with uploaded symlinks to access +daemon-excluded items (if your module has any), and, if "use chroot" +is off, rsync can even be tricked into showing or changing data that +is outside the module's path (as access-permissions allow). + +The way rsync disables the use of symlinks is to prefix each one with +the string "/rsyncd-munged/". This prevents the links from being used +as long as that directory does not exist. When this option is enabled, +rsync will refuse to run if that path is a directory or a symlink to +a directory. When using the "munge symlinks" option in a chroot area, +you should add this path to the exclude setting for the module so that +the user can't try to create it. + +Note: rsync makes no attempt to verify that any pre-existing symlinks in +the hierarchy are as safe as you want them to be. If you setup an rsync +daemon on a new area or locally add symlinks, you can manually protect your +symlinks from being abused by prefixing "/rsyncd-munged/" to the start of +every symlink's value. There is a perl script in the support directory +of the source code named "munge-symlinks" that can be used to add or remove +this prefix from your symlinks. + dit(bf(max connections)) The "max connections" option allows you to specify the maximum number of simultaneous connections you will allow. Any clients connecting when the maximum has been reached will receive a @@ -614,7 +645,7 @@ url(http://rsync.samba.org/)(http://rsync.samba.org/) manpagesection(VERSION) -This man page is current for version 3.0.0pre3 of rsync. +This man page is current for version 3.0.0pre5 of rsync. manpagesection(CREDITS)