You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Suppose you want a multiuser rsync server in a zero-trust environment. You need a chroot.
You could run rsync in daemon mode or "chain-proxy" as described under "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION" in the man rsync. The major drawback is its reliance on its own password authentication instead of today's industry-standard SSH keys. Even if you find a trick to overcome this, the overall setup would be a security headache.
Rsync in non-daemon mode can be started from a chroot by an external program. This means the user will see the executable and libraries lying around, which might confuse them or provoke them to tamper with these files and attempt to escape.
As a final nail in the coffin, you might start filtering user input, trying to restrict them to specific directories, either with rrsync or, say, GNU Rush regexes. This approach is quite naive and only viable in an enterprise setting, but not against targeted attacks on the internet.
The solution would be the capability to chroot+chdir+setuid without daemon mode, controlled by command-line options that are forcibly set by sshd or a restricted shell.
The downside is that you need to run rsync as root, either using the SUID bit or running it from the aforementioned Rush, which is SUID. To me, this seems more manageable than the scenarios described in points (1), (2), and (3).
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Suppose you want a multiuser rsync server in a zero-trust environment. You need a chroot.
You could run rsync in daemon mode or "chain-proxy" as described under "USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION" in the
man rsync. The major drawback is its reliance on its own password authentication instead of today's industry-standard SSH keys. Even if you find a trick to overcome this, the overall setup would be a security headache.Rsync in non-daemon mode can be started from a chroot by an external program. This means the user will see the executable and libraries lying around, which might confuse them or provoke them to tamper with these files and attempt to escape.
As a final nail in the coffin, you might start filtering user input, trying to restrict them to specific directories, either with rrsync or, say, GNU Rush regexes. This approach is quite naive and only viable in an enterprise setting, but not against targeted attacks on the internet.
The solution would be the capability to chroot+chdir+setuid without daemon mode, controlled by command-line options that are forcibly set by sshd or a restricted shell.
The downside is that you need to run rsync as root, either using the SUID bit or running it from the aforementioned Rush, which is SUID. To me, this seems more manageable than the scenarios described in points (1), (2), and (3).
Beta Was this translation helpful? Give feedback.
All reactions