-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chown itself is not insecure. The indiscriminate chowning of all files creates security issues.
You can use --fake-super on push backups. In fact that is what - --fake-super is DESIGNED FOR. You just have to make sure that - --fake-super is running on the correct end of the backup. You are supposed to push backups from root@localhost to notroot@somewhere-else. And you are supposed to do that with - --rsync-path="/path/to/rsync --fake-super". If you just run "rsync - --fake-super" it won't work right. On 08/30/13 01:02, Sherin A wrote: > On Thursday 29 August 2013 11:46 PM, Wayne Davison wrote: >> On Tue, Aug 27, 2013 at 8:03 PM, Sherin A <sherin...@gmail.com >> <mailto:sherin...@gmail.com>> wrote: >> >> Hope they will report it as a vulnerability , because this POC >> has been exploited successfully and it is affected by all >> software that use rsync as a backup and restore tool. >> >> >> This is totally false. The vulnerability is your insecure use >> of chown, so you are shooting yourself in the foot. You could >> accomplish the same bad sequence of copying/restoring using any >> backup tool. >> >> If you want to use a non-root backup store, just use --fake-super >> on the remote side, as previously mentioned (and ensure that >> xattrs are enabled there). >> >> ..wayne.. > So you are saying the chown is insecure . So as per your suggestion > , I need to read each and every file of the user and do the chown > of only required files ? Well I think it may take a little more > time to check one million files of a user :( . Fake user won't work > in push backups. > > -- -------------------------------------- Regards Sherin A > http://www.sherin.co.in/ > > > - -- ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~ Kevin Korb Phone: (407) 252-6853 Systems Administrator Internet: FutureQuest, Inc. ke...@futurequest.net (work) Orlando, Florida k...@sanitarium.net (personal) Web page: http://www.sanitarium.net/ PGP public key available on web site. ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIgMkkACgkQVKC1jlbQAQciMQCg6ayyhiLAk/qf40dcxb+bR8Rc owAAoMimhfhblfnQ22uTqhzW8G+5d99v =cG2H -----END PGP SIGNATURE----- -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
