https://bugzilla.samba.org/show_bug.cgi?id=11879
Nick Cleaton <n...@cleaton.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |n...@cleaton.net --- Comment #2 from Nick Cleaton <n...@cleaton.net> --- Created attachment 14648 --> https://bugzilla.samba.org/attachment.cgi?id=14648&action=edit rrysnc patch to avoid following symlinks out of the restricted dir This patch fixes it a different way, by preventing rrysnc from following symlinks out of the restricted dir rather than by blocking their creation. This comes at the cost of adding a lock to prevent any other rrsync running at the same time as a write rrsync. Without that, an attacker could bypass the check by replacing a directory with a symlink after rrsync has checked it but before rsync has opened it. It's still somewhat less secure than adding --munge-links, because it's more complex. -- You are receiving this mail because: You are the QA Contact for the bug. -- Please use reply-all for most replies to avoid omitting the mailing list. To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html