On 2022-09-09 19:36, Matt Corallo wrote:
The attacker is still limited to the target directory. The attacker
can send files that were excluded or not requested, but they still end
up in the target directory. RPKI validators download stuff in a
dedicated download directory
Ah, okay, thanks, its a shame that wasn't included in any of the
disclosure posts I managed to find :(
It's explained in the manual page:
https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY
(but it may be shared with several peers)
I assume I'm mis-reading this - RPKI servers aren't able to overwrite
output from other RPKI servers, so it shouldn't be shared, no?
Yes, it shouldn't, but maybe RPKI servers are still downloading all of
them in a single directory. Looking at cfrpki, it looks like it works
this way (didn't test).
