https://bugzilla.samba.org/show_bug.cgi?id=11879
Nick Cleaton <n...@cleaton.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |n...@cleaton.net
--- Comment #2 from Nick Cleaton <n...@cleaton.net> ---
Created attachment 14648
--> https://bugzilla.samba.org/attachment.cgi?id=14648&action=edit
rrysnc patch to avoid following symlinks out of the restricted dir
This patch fixes it a different way, by preventing rrysnc from following
symlinks out of the restricted dir rather than by blocking their creation.
This comes at the cost of adding a lock to prevent any other rrsync running at
the same time as a write rrsync. Without that, an attacker could bypass the
check by replacing a directory with a symlink after rrsync has checked it but
before rsync has opened it.
It's still somewhat less secure than adding --munge-links, because it's more
complex.
--
You are receiving this mail because:
You are the QA Contact for the bug.
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
