[Bug 12817] New: [PATCH] Allow daemon itself to chroot

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 12817] New: [PATCH] Allow daemon itself to chroot

Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=12817

            Bug ID: 12817
           Summary: [PATCH] Allow daemon itself to chroot
           Product: rsync
           Version: 3.1.2
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: core
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]

Created attachment 13248
  --> https://bugzilla.samba.org/attachment.cgi?id=13248&action=edit
rsync_daemon_chroot

Hello,

Here is a patch which adds 3 new parameters to rsyncd.conf :
daemon chroot
daemon gid
daemon uid

The first one is a path to a directory the daemon itself will chroot to before
beginning communication with clients.
The 2 others are the uid/gid the daemon itself will switch to before beginning
communication with clients.

These parameters can improve security.
For example, using daemon via a restricted remote-shell connection, for
security reasons, if we want whole rsync to be chrooted, we can now use :

daemon chroot = /home/%SUDO_USER%/rsync/
daemon uid = %SUDO_UID%
daemon gid = %SUDO_GID%

With of course rsync being sudo-called by the restricted shell (to configure
properly).

We could already do this without this patch, using the "use chroot" parameter,
but then the daemon itself is not chrooted and remains run by root.

Thank you !

Ben

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 12817] [PATCH] Allow daemon itself to chroot

Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=12817

Ben RUBSON <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #13248|0                           |1
        is obsolete|                            |

--- Comment #1 from Ben RUBSON <[hidden email]> ---
Created attachment 13249
  --> https://bugzilla.samba.org/attachment.cgi?id=13249&action=edit
rsync_daemon_chroot

Minor issue corrected : do not forget to init log before chrooting.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 12817] [PATCH] Allow daemon itself to chroot

Samba - rsync mailing list
In reply to this post by Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=12817

Ben RUBSON <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #13249|0                           |1
        is obsolete|                            |

--- Comment #2 from Ben RUBSON <[hidden email]> ---
Created attachment 13250
  --> https://bugzilla.samba.org/attachment.cgi?id=13250&action=edit
rsync_daemon_chroot

Minor issue corrected : do not forget to init log before chrooting + typo.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 12817] [PATCH] Allow daemon itself to chroot

Samba - rsync mailing list
In reply to this post by Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=12817

Ben RUBSON <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #13250|0                           |1
        is obsolete|                            |

--- Comment #3 from Ben RUBSON <[hidden email]> ---
Created attachment 13251
  --> https://bugzilla.samba.org/attachment.cgi?id=13251&action=edit
rsync_daemon_chroot

Minor issue corrected : do not forget to not sanitize_paths if daemon is
chrooted.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 12817] [PATCH] Allow daemon itself to chroot

Samba - rsync mailing list
In reply to this post by Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=12817

Wayne Davison <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #4 from Wayne Davison <[hidden email]> ---
Thanks for the patch! I've tweaked it a little bit and committed it to git.

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
Reply | Threaded
Open this post in threaded view
|

[Bug 12817] [PATCH] Allow daemon itself to chroot

Samba - rsync mailing list
In reply to this post by Samba - rsync mailing list
https://bugzilla.samba.org/show_bug.cgi?id=12817

--- Comment #5 from Ben RUBSON <[hidden email]> ---
Many thanks Wayne for having reworked & merged it !

--
You are receiving this mail because:
You are the QA Contact for the bug.

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html