Bug 485946
Summary: | rssh doesn't accept rsync | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Patrick Pichon <patrick.pichon> | ||||
Component: | rssh | Assignee: | Rahul Sundaram <sundaram> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 10 | CC: | brian.carlson, code, jspaleta, jvonau3, lyonel, metherid, patrick.pichon, smohan, sundaram | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | rssh-2.3.3-2.fc16 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 878113 (view as bug list) | Environment: | |||||
Last Closed: | 2012-02-24 23:38:30 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 878113 | ||||||
Attachments: |
|
Description
Patrick Pichon
2009-02-17 16:16:30 UTC
I did further investigations, and even whithout using an alternate port the problem is there. %rsync -a -r -v ./readme pichon@localhost:/tmp pichon@localhost's password: insecure -e option not allowed. This account is restricted by rssh. Allowed commands: scp sftp cvs rdist rsync If you believe this is in error, please contact your system administrator. rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5] Few remarks: - The error message report 'rdist" where I use 'rsync' command - it reports an insecure "-e option not allowed" where I have used only "-a -r -v" Would you mind reporting the problem directly upstream? https://lists.sourceforge.net/lists/listinfo/rssh-discuss We don't carry any patches so it is unlikely to be a Fedora specific issue. Created attachment 332270 [details]
quick patch to fix the rsync problem
There doesn't seem to be much upstream development (source code is very old), despite active mailing lists. True to some extend. The primary developer is still responsive to issues and has shown interest in reviewing patches in the past so I am still in favour of discussing this issue in the upstream mailing list rather than just patch something in Fedora. This is especially the case here since it is a security sensitive software. Also since you seem interested enough to write a patch, you might consider being a co-maintainer of this package in Fedora. http://fedoraproject.org/wiki/PackageMaintainers/Join Drop me a mail if you need further details. Hi Rahul... Mainly these days I concern myself with security-related issues. I'm not really working on rssh, and I'm not really accepting patches except for non-trivial security holes. For mainly that reason, but also because I think it was irresponsible for the rsync maintainers to overload an option which was intended to allow execution of arbitrary programs to also send protocol information, I won't be adding any patches related to supporting rsync 3. That said, I do see the value in doing so, so if you feel it is appropriate by all means add the patch. Thanks for the feedback. Appreciate it. Can you quick look at the patch and confirm it is ok? I will be willing to add it as a downstream patch then. Hi Rahul, Maybe we can just use the same patch as Debian; it looks more generic (and probably more tested)... http://patch-tracking.debian.net/patch/series/view/rssh/2.3.2-8/rsync-protocol Yeah, rssh was primarily imported for OLPC and I think, they wanted the patch too. I will be offline till Monday but I will try to coordinate and get this done asap.Thanks. (In reply to comment #7) > Thanks for the feedback. Appreciate it. Can you quick look at the patch and > confirm it is ok? I will be willing to add it as a downstream patch then. To be honest, I really don't want to. :) That's the main reason I've all but abandoned the project... It's not dead exactly, but I'm only interested in fixing serious security issues. Aside from that, I really don't want to spend any time on this thing. I'd be rather happy if someone who cared would take over maintenance of it, in fact, so people will stop bothering me about it... ;-) While I may have exaggerated the grossness of the rsync maintainers' decision to overload command-line options in my last response, I do think it's gross, tainting an otherwise excellent peice of software. And I think people's time would be more appropriately (though likely more futilely) spent convincing them to fix their backward-compaitibility problem a different way that's less gross. It's worth pointing out that rssh is not the only program that rejects command lines that contain unapproved strings in an effort to enforce security (sudo, ssh, other restricted shells, and other programs have features that do this too). In sending protocol information with -e (both harmless and now necessary), overloading an option whose original purpose was to allow arbitrary execution of programs (neithre harmless nor necessary), they've exercised poor judgment and made things more difficult for sysadmins who have a need to try to secure the use of their tool. I think, I will not add this patch for now. If OLPC wants it, I will reconsider picking up the patch from Debian later. Thanks for all your input. Daniel Drake just mailed me that he needs this for OLPC and it is important for them. I still would very much prefer if rssh upstream accepted it but that doesn't seem like it is happening but atleast in this case Debian seems to have been carrying this patch for a long time already and it is known to be functional. I am reopening for now. Daniel, do close this as fixed when you have applied the patch. Please follow https://fedoraproject.org/wiki/Packaging/Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment and add a comment indicating the origin of the patch, link to comment #10 as well. Thanks. rssh-2.3.3-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/rssh-2.3.3-2.el6 rssh-2.3.3-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/rssh-2.3.3-2.fc16 Package rssh-2.3.3-2.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing rssh-2.3.3-2.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0367/rssh-2.3.3-2.el6 then log in and leave karma (feedback). rssh-2.3.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. rssh-2.3.3-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. ping... this impacts EL5 as well. Would it be okay to push an EL5 update with this patch? -jef Jef, Any update if an EL5 update with this patch was made available? Does anyone know where I can get rssh-2.3.3-2.el5? -Brian |