Fedora Account System
Red Hat Associate
Red Hat Customer
Title: Hostname/ACL bypass on an rsync daemon with "daemon chroot = /X" set when /X lacks DNS resolution support. Description: On an rsync daemon configured with the global "daemon chroot = /X" rsyncd.conf setting, the reverse-DNS lookup of the connecting client was performed *after* the daemon had chrooted into /X. If /X did not contain the files glibc needs for resolution (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules), the lookup failed and the connecting hostname was set to "UNKNOWN". Hostname-based deny rules ("hosts deny = *.evil.example") therefore could not match, and an attacker controlling their PTR record could connect from a hostname the administrator had intended to deny. IP-based ACLs are unaffected. The per-module "use chroot" setting is unrelated to this issue. Reach: rsync daemon configured with "daemon chroot = /X" AND hostname-based ACLs AND /X does not include the libc resolver fixtures. CWE: CWE-289 (Authentication Bypass by Alternate Name). Reporter: MegaManSec. GHSA: