From ce055e863de711efc559b4909e2f71be8a093a02 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayned@samba.org>
Date: Tue, 30 Oct 2007 15:00:40 +0000
Subject: [PATCH] Mention that --keep-dirlinks can be dangerous if there are
 untrusted symlinks in the transfer.

---
 rsync.yo | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/rsync.yo b/rsync.yo
index 4563866a..e836aacb 100644
--- a/rsync.yo
+++ b/rsync.yo
@@ -801,6 +801,14 @@ directory, and receives the file into the new directory.  With
 bf(--keep-dirlinks), the receiver keeps the symlink and "file" ends up in
 "bar".
 
+One note of caution:  if you use bf(--keep-dirlinks), you must trust all
+the symlinks in the copy!  If it is possible for an untrusted user to
+create their own symlink to any directory, the user could then (on a
+subsequent copy) replace the symlink with a real directory and affect the
+content of whatever directory the symlink references.  For backup copies,
+you are better off using something like a bind mount instead of a symlink
+to modify your receiving hierarchy.
+
 See also bf(--copy-dirlinks) for an analogous option for the sending side.
 
 dit(bf(-H, --hard-links)) This tells rsync to look for hard-linked files in
-- 
2.34.1