1506234 – rsync daemon chgrp failed: Operation not permitted

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1506234 - rsync daemon chgrp failed: Operation not permitted

Summary: rsync daemon chgrp failed: Operation not permitted

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	rsync
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Ruprich
QA Contact:	Martin Zelený
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-25 13:16 UTC by Martin Zelený
Modified:	2017-11-30 12:43 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-30 12:43:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martin Zelený 2017-10-25 13:16:03 UTC

Description of problem:
rsync synchronizing to rsync daemon has problem to set group of transferred files

Version-Release number of selected component (if applicable):
rsync-3.1.2-4.el7.x86_64

How reproducible:
Create tester user
Create rsyncd.conf with path to tester user home directory and uid parameter set to tester

Steps to Reproduce:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
useradd tester
cat <<EOF > /etc/rsyncd.conf
[my_data]
    comment = test dir for rsync
    path = /home/tester
    read only = no
    uid = tester #the uid parameter is important
EOF
rsync --daemon
touch data
rsync -vg data localhost::my_data #the -g parameter is important

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Actual results:
data
rsync: chgrp "/.data.7AvTcU" (in my_data) failed: Operation not permitted (1)

sent 84 bytes  received 117 bytes  134.00 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1178) [sender=3.1.2]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expected results:
data

sent 62 bytes  received 27 bytes  178.00 bytes/sec
total size is 0  speedup is 0.00

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Additional info:
No error exit code or message on rsync-3.0.9-18.el7.x86_64 in RHEL-7.4

Comment 2 Michal Ruprich 2017-11-06 11:58:44 UTC

Ok, I found a workaround. When I added the 'fake super = yes' to the conf file, it ended without any error. However, I will try to figure out what is happening without this option.

Comment 3 Michal Ruprich 2017-11-07 09:43:47 UTC

It seems to me that this behaviour is correct. The daemon is started as root but when you run the rsync, the transfer is executed by user tester. And the user tester doesn't have permissions to change group to other than tester (assuming you only created the user and it belongs to one group - tester). I'm in contact with the upstream just to check whether this is a correction of behaviour in the previous version.

Comment 4 Michal Ruprich 2017-11-08 08:42:29 UTC

Ok so I finally have some answers here. rsync is capable of changing to a different group only if the group is in the list of groups in the rsynd.conf for specific module. So if for example you try copy a file owned by root to your module, the root group needs to be one of the groups in the gid option. Because only these groups are then available for the actual transfer process.

So the reproducer here needs this in the rsyncd.conf:
[my_data]
    comment = test dir for rsync
    path = /home/tester
    read only = no
    uid = tester
    gid = tester root

The fact that there is an error output is a new feature introduced in 3.1.0:
    - Added a way for more than one group to be specified in the daemon's
      config file, including a way to specify that you want all of the
      specified user's groups without having to name them.  Also changed the
      daemon to complain about an inability to set explicitly-specified uid/gid
      values, even when not run by a super-user.

Note You need to log in before you can comment on or make changes to this bug.