Thread: Forbidden commands
Brought to you by:
xystrus
Menu
▾
▴
rssh-discuss
|
From: Alain D D W. <ad...@ph...> - 2019-11-22 15:54:37
|
A recent problem with a rsync/rssh setup that has worked since 2012.
This happened since update to rssh-2.3.4-15 a few days ago.
Running on a CentOS 6 machine.
The recent patch forbids the --daemon option - but I need this as I want an
instance of rsync (running over ssh) that exports two modules. The files in the
modules are not publicly visible - thus only available over ssh as a
particular user (public key authentication).
The patch contains the comment:
"Also scan the rsync command line for any --rsh, --config, or --daemon
option and reject it as well. This replaces and improves the upstream
strategy for rejecting that command-line option, taking advantage of
the parsing added to check the -e option. --config can be used to run
commands via "pre-xfer exec" when running as a daemon, plus the client
should not be able to spawn daemons."
So: how do I do this with this patch applied ?
Thanks in advance.
Something from /var/log/messages:
rssh[27171]: setting log facility to LOG_USER
rssh[27171]: setting umask to 022
rssh[27171]: line 52: configuring user someuser
rssh[27171]: setting someuser's umask to 0
rssh[27171]: allowing rsync to user someuser
rssh[27171]: cmd 'rsync' approved
rssh[27171]: cmd 'rsync' approved
rssh[27171]: insecure rsync options in rsync command line!
rssh[27171]: user someuser attempted to execute forbidden commands
rssh[27171]: command: rsync --server --daemon .
rssh[27177]: setting log facility to LOG_USER
rssh[27177]: setting umask to 022
rssh[27177]: line 52: configuring user someuser
rssh[27177]: setting someuser's umask to 0
rssh[27177]: allowing rsync to user someuser
rssh[27177]: cmd 'rsync' approved
rssh[27177]: cmd 'rsync' approved
rssh[27177]: insecure rsync options in rsync command line!
rssh[27177]: user someuser attempted to execute forbidden commands
rssh[27177]: command: rsync --server --daemon .
(Usename changed)
/home/someuser/rsyncd.conf
[maillist]
comment = Maillist backup
path = /var/spool/mailman/somemaillist
read only = true
use chroot = no
[mailman]
comment = Mailman programs
path = /usr/local/mailman/somemaillist/
read only = true
use chroot = no
My remote user has told me:
> ----------8<-------------------------------
> insecure rsync options not allowed.
> This account is restricted by rssh.
> Allowed commands: rsync
>
> If you believe this is in error, please contact your system administrator.
>
> rsync: did not see server greeting
> rsync error: error starting client-server protocol (code 5) at
> main.c(1648) [Receiver=3.1.2]
> ----------8<-------------------------------
>
>
> command I'm running is:
>
> ----------8<-------------------------------
> rsync -e ssh -av --delete rsync://som...@li.../somelist/backups/somelistlist/somelist/
> ----------8<-------------------------------
>
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>
|
|
From: Russ A. <ea...@ey...> - 2019-11-22 17:10:28
|
Alain D D Williams <ad...@ph...> writes: > A recent problem with a rsync/rssh setup that has worked since 2012. > This happened since update to rssh-2.3.4-15 a few days ago. Running on > a CentOS 6 machine. > The recent patch forbids the --daemon option - but I need this as I want > an instance of rsync (running over ssh) that exports two modules. The > files in the modules are not publicly visible - thus only available over > ssh as a particular user (public key authentication). > The patch contains the comment: > "Also scan the rsync command line for any --rsh, --config, or --daemon > option and reject it as well. This replaces and improves the upstream > strategy for rejecting that command-line option, taking advantage of > the parsing added to check the -e option. --config can be used to run > commands via "pre-xfer exec" when running as a daemon, plus the client > should not be able to spawn daemons." > So: how do I do this with this patch applied ? You unfortunately can't. I couldn't convince myself that --daemon was safe in the rssh security model. If you can convince yourself that it is, you can remove --daemon from the options that are blocked. Make sure that the configuration file isn't writable by the user via rsync, since otherwise this is trivial RCE, and be sure that other options like --address and --port don't allow someone to do something that you don't expect. -- Russ Allbery (ea...@ey...) <https://www.eyrie.org/~eagle/> |
|
From: Russ A. <ea...@ey...> - 2019-11-22 17:23:37
|
Russ Allbery <ea...@ey...> writes: > You unfortunately can't. I couldn't convince myself that --daemon was > safe in the rssh security model. I should also add: If you're only using --daemon, consider whether the arguments to rsync vary with each invocation. I suspect that they don't, in which case you could use SSH's force-command option for authorized_keys rather than rssh. This doesn't give you the chroot inherently, but you could write a tiny helper that does the chroot, or use user namespaces to achieve an equivalent end. -- Russ Allbery (ea...@ey...) <https://www.eyrie.org/~eagle/> |
Thanks for helping keep SourceForge clean.
X