rssh-discuss

Problems using rssh with rsync

[Andrew D. <ad...@tr...>]

We have a server with rssh-2.2.3 on CentOS 3, and tried connecting with 
rsync-3.0.6 from CentOS 5.

I get "insecure -e option not allowed".
When I look a the source for rsync, I find it's adding "-e.s" for some 
reason but I can fix that by using --protocol=26.

I tried building the current version of rssh (2.3.4-1) thinking that maybe 
the problem was fixed. But it's actually worse.

I don't know why rsync is sending "--sender" etc., but it's the standard 
RedHat version of rsync. I'm guessing that rssh is not parsing long options 
properly and is just finding 'e' in --server.

Seeing as rsync is one of the documented commands that works with rssh, 
I'm wondering what's going on.


$ rsync -vv  andrew@myserver:public_html/two/try2.html .
opening connection using: ssh -l andrew trshare rsync --server --sender -vve.s . public_html/two/try2.html

illegal insecure e option
This account is restricted by rssh.
Allowed commands: scp sftp rsync


$ rsync -vv --protocol=26  andrew@myserver:public_html/two/try2.html .
opening connection using: ssh -l andrew trshare rsync --server --sender -vv . public_html/two/try2.html

illegal insecure e option



-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)

Re: Problems using rssh with rsync

[Russ A. <rr...@st...>]

Andrew Daviel <ad...@tr...> writes:

> We have a server with rssh-2.2.3 on CentOS 3, and tried connecting with 
> rsync-3.0.6 from CentOS 5.

> I get "insecure -e option not allowed".
> When I look a the source for rsync, I find it's adding "-e.s" for some 
> reason but I can fix that by using --protocol=26.

> I tried building the current version of rssh (2.3.4-1) thinking that maybe 
> the problem was fixed. But it's actually worse.

> I don't know why rsync is sending "--sender" etc., but it's the standard 
> RedHat version of rsync. I'm guessing that rssh is not parsing long options 
> properly and is just finding 'e' in --server.

> Seeing as rsync is one of the documented commands that works with rssh, 
> I'm wondering what's going on.

I see that Sourceforge has completely broken their mailing list archives
so that you can't retrieve the content of previous list messages or I
would point you at the previous discussion of this.

You need patches in order to work with the latest rsync.  They reused the
-e option in a very unfortunate way to specify protocol information, and
it's quite tricky to ensure that the running command is still secure.

Debian (and I believe some others) are using the attached, which is
against 2.3.4.  (I would point you to the Debian patch tracker, but it's
down at the moment; the link at:

    http://patch-tracker.debian.org/package/rssh/2.3.3-6

has the patch set against 2.3.3, which includes the security fix in 2.3.4,
but that's not as clean as the patches based on 2.3.4 directly.)

-- 
Russ Allbery (rr...@st...)             <http://www.eyrie.org/~eagle/>

Re: Problems using rssh with rsync

[Andrew D. <ad...@tr...>]

On Tue, 24 Sep 2013, Russ Allbery wrote:

> I see that Sourceforge has completely broken their mailing list archives
> so that you can't retrieve the content of previous list messages or I
> would point you at the previous discussion of this.
>
> You need patches in order to work with the latest rsync.  They reused the
> -e option in a very unfortunate way to specify protocol information, and
> it's quite tricky to ensure that the running command is still secure.

Thank you, that works nicely.
I added it as a patch in the specfile and built an RPM.

I see now in the archives (as you say, sparse and hard to search) that you 
wrote much the same in August. And back in 2011.

I also found Derek's post on Dec 04 2012 saying that he won't support the 
rsync patch, but that most vendors have it in their RPM packages.
Yum is broken on our old CentOS 3 machine so the easy way didn't work, 
but it's in EPEL for Centos5 and 6.

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)

Re: Problems using rssh with rsync

[Derek M. <co...@pi...>]

Thanks Russ.

I should really put up a FAQ about this, so you don't have to keep
answering this question... =8^)  

[Though, if people would just take a moment to actually search for the
answer...]

  http://lmgtfy.com/?q=rssh+rsync+3

-- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D



On Tue, Sep 24, 2013 at 12:46:21PM -0700, Russ Allbery wrote:
> Andrew Daviel <ad...@tr...> writes:
> 
> > We have a server with rssh-2.2.3 on CentOS 3, and tried connecting with 
> > rsync-3.0.6 from CentOS 5.
> 
> > I get "insecure -e option not allowed".
> > When I look a the source for rsync, I find it's adding "-e.s" for some 
> > reason but I can fix that by using --protocol=26.
> 
> > I tried building the current version of rssh (2.3.4-1) thinking that maybe 
> > the problem was fixed. But it's actually worse.
> 
> > I don't know why rsync is sending "--sender" etc., but it's the standard 
> > RedHat version of rsync. I'm guessing that rssh is not parsing long options 
> > properly and is just finding 'e' in --server.
> 
> > Seeing as rsync is one of the documented commands that works with rssh, 
> > I'm wondering what's going on.
> 
> I see that Sourceforge has completely broken their mailing list archives
> so that you can't retrieve the content of previous list messages or I
> would point you at the previous discussion of this.
> 
> You need patches in order to work with the latest rsync.  They reused the
> -e option in a very unfortunate way to specify protocol information, and
> it's quite tricky to ensure that the running command is still secure.
> 
> Debian (and I believe some others) are using the attached, which is
> against 2.3.4.  (I would point you to the Debian patch tracker, but it's
> down at the moment; the link at:
> 
>     http://patch-tracker.debian.org/package/rssh/2.3.3-6
> 
> has the patch set against 2.3.3, which includes the security fix in 2.3.4,
> but that's not as clean as the patches based on 2.3.4 directly.)
> 
> -- 
> Russ Allbery (rr...@st...)             <http://www.eyrie.org/~eagle/>
> 

> From: Russ Allbery <rr...@st...>
> Subject: [PATCH] Handle the rsync v3 -e option for protocol information
> 
> As of rsync 3, rsync reused the -e option to pass protocol information
> from the client to the server.  We therefore cannot reject all -e
> options to rsync, only ones not sent with --server or containing
> something other than protocol information as an argument.
> 
> Also scan the rsync command line for any --rsh option and reject it as
> well.  This replaces and improves the upstream strategy for rejecting
> that command-line option, taking advantage of the parsing added to
> check the -e option.
> 
> Based on work by Robert Hardy.
> 
> Debian Bug#471803
> 
> Signed-off-by: Russ Allbery <rr...@st...>
> 
> ---
>  util.c |   80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
>  1 file changed, 72 insertions(+), 8 deletions(-)
> 
> diff --git a/util.c b/util.c
> index f98d2bc..a257b06 100644
> --- a/util.c
> +++ b/util.c
> @@ -56,6 +56,7 @@
>  #ifdef HAVE_LIBGEN_H
>  #include <libgen.h>
>  #endif /* HAVE_LIBGEN_H */
> +#include <regex.h>
>  
>  /* LOCAL INCLUDES */
>  #include "pathnames.h"
> @@ -198,6 +199,73 @@ bool check_command( char *cl, ShellOptions_t *opts, char *cmd, int cmdflag )
>  
>  
>  /*
> + * rsync_e_okay() - take the command line passed to rssh and look for an -e
> + *		    option.  If one is found, make sure --server is provided
> + *		    and the option contains only the protocol information.
> + *		    Also check for and reject any --rsh option.	 Returns FALSE
> + *		    if the command line should not be allowed, TRUE if it is
> + *		    okay.
> + */
> +static int rsync_e_okay( char **vec )
> +{
> +	regex_t	re;
> +	int	server = FALSE;
> +	int	e_found = FALSE;
> +
> +	/*
> +	 * rsync will send -e, followed by either just "." (meaning no special
> +	 * protocol) or "N.N" (meaning a pre-release protocol version),
> +	 * followed by some number of alphabetic flags indicating various
> +	 * supported options.  There may be other options between - and the e,
> +	 * but -e will always be the last option in the string.	 A typical
> +	 * option passed by the client is "-ltpre.iL".
> +	 *
> +	 * Note that if --server is given, this should never be parsed as a
> +	 * shell, but we'll tightly verify it anyway, just in case.
> +	 *
> +	 * This regex matches the acceptable flags containing -e, so if it
> +	 * does not match, the command line should be rejected.
> +	 */
> +	static const char pattern[]
> +	    = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$";
> +
> +	/*
> +	 * Only recognize --server if it's the first option.  rsync itself
> +	 * always passes it that way, and if it's not the first argument, it
> +	 * could be hidden from the server as an argument to some other
> +	 * option.
> +	 */
> +	if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){
> +		server = TRUE;
> +	}
> +
> +	/* Check the remaining options for -e or --rsh. */
> +	if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
> +		return FALSE;
> +	}
> +	while (vec && *vec){
> +		if ( strcmp(*vec, "--") == 0 ) break;
> +		if ( strcmp(*vec, "--rsh") == 0
> +		     || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){
> +			regfree(&re);
> +			return FALSE;
> +		}
> +		if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){
> +			e_found = TRUE;
> +			if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){
> +				regfree(&re);
> +				return FALSE;
> +			}
> +		}
> +		vec++;
> +	}
> +	regfree(&re);
> +	if ( e_found && !server ) return FALSE;
> +	return TRUE;
> +}
> +
> +
> +/*
>   * check_command_line() - take the command line passed to rssh, and verify
>   *			  that the specified command is one the user is
>   *			  allowed to run and validate the arguments.  Return the
> @@ -230,14 +298,10 @@ char *check_command_line( char **cl, ShellOptions_t *opts )
>  
>  	if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
>  		/* filter -e option */
> -		if ( opt_filter(cl, 'e') ) return NULL;
> -		while (cl && *cl){
> -			if ( strstr(*cl, "--rsh" ) ){
> -				fprintf(stderr, "\ninsecure --rsh= not allowed.");
> -				log_msg("insecure --rsh option in rsync command line!");
> -				return NULL;
> -			}
> -			cl++;
> +		if ( !rsync_e_okay(cl) ){
> +			fprintf(stderr, "\ninsecure -e or --rsh option not allowed.");
> +			log_msg("insecure -e or --rsh option in rsync command line!");
> +			return NULL;
>  		}
>  		return PATH_RSYNC;
>  	}
> -- 
> tg: (f8b36e2..) fixes/rsync-protocol (depends on: upstream)

> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

> _______________________________________________
> rssh-discuss mailing list
> rss...@li...
> https://lists.sourceforge.net/lists/listinfo/rssh-discuss