On Thursday 29 August 2013 11:46 PM, Wayne Davison wrote:
On Tue, Aug 27, 2013 at 8:03 PM, Sherin A <sherin...@gmail.com
<mailto:sherin...@gmail.com>> wrote:
Hope they will report it as a vulnerability , because this POC
has been exploited successfully and it is affected by all
software that use rsync as a backup and restore tool.
This is totally false. The vulnerability is your insecure use of
chown, so you are shooting yourself in the foot. You could accomplish
the same bad sequence of copying/restoring using any backup tool.
If you want to use a non-root backup store, just use --fake-super on
the remote side, as previously mentioned (and ensure that xattrs are
enabled there).
..wayne..
So you are saying the chown is insecure . So as per your suggestion , I
need to read each and every file of the user and do the chown of only
required files ? Well I think it may take a little more time to check
one million files of a user :( . Fake user won't work in push backups.
--
--------------------------------------
Regards
Sherin A
http://www.sherin.co.in/
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
