Added Russ (rssh maintainer). I cannot probe it but I guess chances are high that the issue is present both in stable and oldstable (I cannot find a good reason to filter different commands: solution should be the same or very similar) so I'm still keeping debian-security in the loop.
PS: Thx Holger & Chris. Cheers, -Román El 14/02/2019 a las 18:47, Chris Lamb escribió: > [debian-security@lists.debian.org → Bcc] > > Holger Levsen wrote: > >>> I applied recent rssh security updates to Debian 8 (jessie) and I >>> noticed that it breaks Synology's "Hyper backup" tool (with rsync method). >>> >>> Feb 10 03:28:21 roman rssh[19985]: cmd 'rsync' approved >>> Feb 10 03:28:21 roman rssh[19985]: insecure rsync options in rsync >>> command line! >>> Feb 10 03:28:21 roman rssh[19985]: user synology attempted to execute >>> forbidden commands >>> Feb 10 03:28:21 roman rssh[19985]: command: rsync --server --daemon . >>> >>> Is it really unsafe to issue a "rsync --server --daemon ." command so it >>> deserves to be blocked?` > FYI this is the patch in question: > > https://sources.debian.org/src/rssh/2.3.4-11/debian/patches/0007-Verify-rsync-command-options.patch/#L15-L20 > > > Regards, >
