translation is not desired. See the daemon's "numeric ids" parameter
for full details.
+ - A chroot daemon can now indicate which part of its path should affect the
+ chroot call, and which part should become an inside-chroot path for the
+ module. This allows you to have outside-the-transfer paths (such as for
+ libraries) even when you enable chroot protection.
+
- If a file's data arrived successfully on the receiving side but the
rename of the temporary file to the destination file failed AND the
--remove-source-files (or the deprecated --remove-sent-files) option
struct chmod_mode_struct *daemon_chmod_modes;
/* module_dirlen is the length of the module_dir string when in daemon
- * mode, not chrooted, and the path is not "/"; otherwise 0. */
+ * mode and module_dir is not "/"; otherwise 0. (Note that a chroot-
+ * enabled module can have a non-"/" module_dir these days.) */
char *module_dir = NULL;
unsigned int module_dirlen = 0;
static int rsync_module(int f_in, int f_out, int i, char *addr, char *host)
{
int argc, opt_cnt;
- char **argv;
+ char **argv, *chroot_path = NULL;
char line[BIGPATHBUFLEN];
uid_t uid = (uid_t)-2; /* canonically "nobody" */
gid_t gid = (gid_t)-2;
* to make sure that the module's path is absolute. After this
* check, module_dir will be set to an absolute path. */
module_dir = lp_path(i);
+ if (use_chroot) {
+ if ((p = strstr(module_dir, "/./")) != NULL) {
+ *p = '\0';
+ p += 2;
+ } else if ((p = strdup("/")) == NULL)
+ out_of_memory("rsync_module");
+ }
+
strlcpy(line, curr_dir, sizeof line);
if (!push_dir(module_dir, 1))
goto chdir_failed;
- if (strcmp(curr_dir, module_dir) != 0)
- module_dir = strdup(curr_dir);
+ if (strcmp(curr_dir, module_dir) != 0
+ && (module_dir = strdup(curr_dir)) == NULL)
+ out_of_memory("rsync_module");
push_dir(line, 1); /* Restore curr_dir. */
- if (use_chroot || (module_dirlen = strlen(module_dir)) == 1) {
+ if (use_chroot) {
+ chroot_path = module_dir;
+ module_dir = p; /* p is "/" or our inside-chroot path */
+ }
+ module_dirlen = clean_fname(module_dir, CFN_COLLAPSE_DOT_DOT_DIRS | CFN_DROP_TRAILING_DOT_DIR);
+
+ if (module_dirlen == 1) {
module_dirlen = 0;
set_filter_dir("/", 1);
} else
if (*lp_prexfer_exec(i) || *lp_postxfer_exec(i)) {
char *modname, *modpath, *hostaddr, *hostname, *username;
int status;
+
+ if (!use_chroot)
+ p = module_dir;
+ else if (module_dirlen) {
+ pathjoin(line, sizeof line, chroot_path, module_dir+1);
+ p = line;
+ } else
+ p = chroot_path;
+
if (asprintf(&modname, "RSYNC_MODULE_NAME=%s", name) < 0
- || asprintf(&modpath, "RSYNC_MODULE_PATH=%s", module_dir) < 0
+ || asprintf(&modpath, "RSYNC_MODULE_PATH=%s", p) < 0
|| asprintf(&hostaddr, "RSYNC_HOST_ADDR=%s", addr) < 0
|| asprintf(&hostname, "RSYNC_HOST_NAME=%s", host) < 0
|| asprintf(&username, "RSYNC_USER_NAME=%s", auth_user) < 0)
* a warning, unless a "require chroot" flag is set,
* in which case we fail.
*/
- if (chroot(module_dir)) {
- rsyserr(FLOG, errno, "chroot %s failed", module_dir);
+ if (chroot(chroot_path)) {
+ rsyserr(FLOG, errno, "chroot %s failed", chroot_path);
io_printf(f_out, "@ERROR: chroot failed\n");
return -1;
}
- if (!push_dir("/", 0))
+ if (!push_dir(module_dir, 0))
goto chdir_failed;
+ if (module_dirlen)
+ sanitize_paths = 1;
} else {
if (!push_dir(module_dir, 0)) {
chdir_failed:
}
if ((munge_symlinks = lp_munge_symlinks(i)) < 0)
- munge_symlinks = !use_chroot;
+ munge_symlinks = !use_chroot || module_dirlen;
if (munge_symlinks) {
STRUCT_STAT st;
if (stat(SYMLINK_PREFIX, &st) == 0 && S_ISDIR(st.st_mode)) {
of not being able to follow symbolic links that are either absolute or outside
of the new root path, and of complicating the preservation of users and groups
by name (see below).
-When "use chroot" is false, rsync will: (1) munge symlinks by
+
+As an additional safety feature, you can specify a dot-dir in the module's
+"path" to indicate the point where the chroot should occur. This allows rsync
+to run in a chroot with a non-"/" path for the top of the transfer hierarchy.
+Doing this guards against unintended library loading (since those absolute
+paths will not be inside the transfer hierarchy unless you have used an unwise
+pathname), and lets you setup libraries for the chroot that are outside of the
+transfer. For example, specifying "/var/rsync/./module1" will chroot to the
+"/var/rsync" directory and set the inside-chroot path to "/module1". If you
+had omitted the dot-dir, the chroot would have used the whole path, and the
+inside-chroot path would have been "/".
+
+When "use chroot" is false or the inside-chroot path is not "/", rsync will:
+(1) munge symlinks by
default for security reasons (see "munge symlinks" for a way to turn this
off, but only if you trust your users), (2) substitute leading slashes in
absolute paths with the module's path (so that options such as
bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as
rooted in the module's "path" dir), and (3) trim ".." path elements from
-args if rsync believes they would escape the chroot.
+args if rsync believes they would escape the module hierarchy.
The default for "use chroot" is true, and is the safer choice (especially
if the module is not read-only).
all incoming symlinks in a way that makes them unusable but recoverable
(see below). This should help protect your files from user trickery when
your daemon module is writable. The default is disabled when "use chroot"
-is on and enabled when "use chroot" is off.
+is on and the inside-chroot path is "/", otherwise it is enabled.
If you disable this option on a daemon that is not read-only, there
are tricks that a user can play with uploaded symlinks to access
the string "/rsyncd-munged/". This prevents the links from being used
as long as that directory does not exist. When this option is enabled,
rsync will refuse to run if that path is a directory or a symlink to
-a directory. When using the "munge symlinks" option in a chroot area,
-you should add this path to the exclude setting for the module so that
+a directory. When using the "munge symlinks" option in a chroot area
+that has an inside-chroot path of "/", you should add "/rsyncd-munged/"
+to the exclude setting for the module so that
a user can't try to create it.
Note: rsync makes no attempt to verify that any pre-existing symlinks in
of the source code named "munge-symlinks" that can be used to add or remove
this prefix from your symlinks.
-When this option is disabled on a writable module and "use chroot" is off,
+When this option is disabled on a writable module and "use chroot" is off
+(or the inside-chroot path is not "/"),
incoming symlinks will be modified to drop a leading slash and to remove ".."
path elements that rsync believes will allow a symlink to escape the module's
hierarchy. There are tricky ways to work around this, though, so you had
verb(
uid = nobody
gid = nobody
-use chroot = no
+use chroot = yes
max connections = 4
syslog facility = local5
pid file = /var/run/rsyncd.pid
[ftp]
- path = /var/ftp/pub
+ path = /var/ftp/./pub
comment = whole ftp area (approx 6.1 GB)
[sambaftp]
- path = /var/ftp/pub/samba
+ path = /var/ftp/./pub/samba
comment = Samba ftp area (approx 300 MB)
[rsyncftp]
- path = /var/ftp/pub/rsync
+ path = /var/ftp/./pub/rsync
comment = rsync ftp area (approx 6 MB)
[sambawww]
Matt McCutchen's Web Site / rsync / rsync.git / commitdiff