Bug 485946 - rssh doesn't accept rsync
rssh doesn't accept rsync
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: rssh (Show other bugs)
10
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Rahul Sundaram
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 878113
  Show dependency treegraph
 
Reported: 2009-02-17 11:16 EST by Patrick Pichon
Modified: 2013-03-13 01:44 EDT (History)
9 users (show)

See Also:
Fixed In Version: rssh-2.3.3-2.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 878113 (view as bug list)
Environment:
Last Closed: 2012-02-24 18:38:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
quick patch to fix the rsync problem (1.25 KB, patch)
2009-02-17 13:33 EST, Lyonel Vincent
no flags Details | Diff

  None (edit)
Description Patrick Pichon 2009-02-17 11:16:30 EST
Description of problem:
rssh doesn't allow rsync working when using "ssh on an alternate port" even if rsync is authorized in the rssh configuration file.

Version-Release number of selected component (if applicable):
rssh 2.3.1

How reproducible:
see the steps here after

Steps to Reproduce:
1. configure a test user
2. configure rssh on your system. edit /etc/rssh.conf and add user=test:011:10011:
2. enable that use to ssh (if you have put restriction).  
3. enable sshd to listen on an alternate port ( like 2522 ) - restart sshd
4. create a file name dummy2transfert
4. rsync -a -r -v -e 'ssh -p 2522' ./dummy2transfert  test@localhost:/tmp 




Actual results:
Nothing is transferred and you get the following error message:
insecure -e option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp rsync

If you believe this is in error, please contact your system administrator.

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5]

Expected results:
rsync is done and the the file dummy2transfert is copied to /tmp

Additional info:
Extract from /var/log/secure

Feb 17 16:51:25 100-souci sshd[29633]: Accepted password for test from 127.0.0.1 port 59128 ssh2
Feb 17 16:51:25 100-souci sshd[29633]: pam_unix(sshd:session): session opened for user test by (uid=0)
Feb 17 16:51:25 100-souci sshd[29633]: pam_unix(sshd:session): session closed for user test


Extract from /var/log/messages
Feb 17 16:50:16 100-souci rssh[29626]: setting log facility to LOG_USER
Feb 17 16:50:16 100-souci rssh[29626]: setting umask to 022
Feb 17 16:50:16 100-souci rssh[29626]: line 52: configuring user test
Feb 17 16:50:16 100-souci rssh[29626]: setting test's umask to 011
Feb 17 16:50:16 100-souci rssh[29626]: allowing scp to user test
Feb 17 16:50:16 100-souci rssh[29626]: allowing sftp to user test
Feb 17 16:50:16 100-souci rssh[29626]: allowing rsync to user test
Feb 17 16:50:16 100-souci rssh[29626]: insecure -e option in rdist command line!
Feb 17 16:50:16 100-souci rssh[29626]: user test attempted to execute forbidden commands
Feb 17 16:50:16 100-souci rssh[29626]: command: rsync --server -vlogDtpre.iLs . /tmp
Comment 1 Patrick Pichon 2009-02-17 11:37:54 EST
I did further investigations, and even whithout using an alternate port the problem is there.


%rsync -a -r -v ./readme  pichon@localhost:/tmp
pichon@localhost's password: 

insecure -e option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp cvs rdist rsync

If you believe this is in error, please contact your system administrator.

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5]


Few remarks:
- The error message report 'rdist" where I use 'rsync' command
- it reports an insecure "-e option not allowed" where I have used only "-a -r -v"
Comment 2 Rahul Sundaram 2009-02-17 13:05:28 EST
Would you mind reporting the problem directly upstream?

https://lists.sourceforge.net/lists/listinfo/rssh-discuss

We don't carry any patches so it is unlikely to be a Fedora specific issue.
Comment 3 Lyonel Vincent 2009-02-17 13:33:16 EST
Created attachment 332270 [details]
quick patch to fix the rsync problem
Comment 4 Lyonel Vincent 2009-02-17 14:22:41 EST
There doesn't seem to be much upstream development (source code is very old), despite active mailing lists.
Comment 5 Rahul Sundaram 2009-02-17 14:40:20 EST
True to some extend. The primary developer is still responsive to issues and has shown interest in reviewing patches in the past so I am still in favour of discussing this issue in the upstream mailing list rather than just patch something in Fedora. This is especially the case here since it is a security sensitive software.

Also since you seem interested enough to write a patch, you might consider being a co-maintainer of this package in Fedora. 

http://fedoraproject.org/wiki/PackageMaintainers/Join

Drop me a mail if you need further details.
Comment 6 Derek Martin 2009-02-18 09:31:42 EST
Hi Rahul...  Mainly these days I concern myself with security-related issues.  I'm not really working on rssh, and I'm not really accepting patches except for non-trivial security holes.  For mainly that reason, but also because I think it was irresponsible for the rsync maintainers to overload an option which was intended to allow execution of arbitrary programs to also send protocol information, I won't be adding any patches related to supporting rsync 3.  That said, I do see the value in doing so, so if you feel it is appropriate by all means add the patch.
Comment 7 Rahul Sundaram 2009-02-18 14:54:18 EST
Thanks for the feedback. Appreciate it. Can you quick look at the patch and confirm it is ok? I will be willing to add it as a downstream patch then.
Comment 8 Lyonel Vincent 2009-02-18 16:09:48 EST
Hi Rahul,

Maybe we can just use the same patch as Debian; it looks more generic (and probably more tested)...

http://patch-tracking.debian.net/patch/series/view/rssh/2.3.2-8/rsync-protocol
Comment 9 Rahul Sundaram 2009-02-18 16:21:10 EST
Yeah, rssh was primarily imported for OLPC and I think, they wanted the patch too. I will be offline till Monday but I will try to coordinate and get this done asap.Thanks.
Comment 10 Derek Martin 2009-02-19 20:27:32 EST
(In reply to comment #7)
> Thanks for the feedback. Appreciate it. Can you quick look at the patch and
> confirm it is ok? I will be willing to add it as a downstream patch then.

To be honest, I really don't want to. :)  That's the main reason I've all but abandoned the project...  It's not dead exactly, but I'm only interested in fixing serious security issues.  Aside from that, I really don't want to spend any time on this thing.  I'd be rather happy if someone who cared would take over maintenance of it, in fact, so people will stop bothering me about it... ;-)  

While I may have exaggerated the grossness of the rsync maintainers' decision to overload command-line options in my last response, I do think it's gross, tainting an otherwise excellent peice of software.  And I think people's time would be more appropriately (though likely more futilely) spent convincing them to fix their backward-compaitibility problem a different way that's less gross.  It's worth pointing out that rssh is not the only program that rejects command lines that contain unapproved strings in an effort to enforce security (sudo, ssh, other restricted shells, and other programs have features that do this too).  In sending protocol information with -e (both harmless and now necessary),  overloading an option whose original purpose was to allow arbitrary execution of programs (neithre harmless nor necessary), they've exercised poor judgment and made things more difficult for sysadmins who have a need to try to secure the use of their tool.
Comment 11 Rahul Sundaram 2009-03-30 06:05:48 EDT
I think, I will not add this patch for now. If OLPC wants it, I will reconsider picking up the patch from Debian later. Thanks for all your input.
Comment 12 Rahul Sundaram 2012-02-06 17:24:14 EST
Daniel Drake just mailed me that he needs this for OLPC and it is important for them.   I still would very much prefer if rssh upstream accepted it but that doesn't seem like it is happening but atleast in this case Debian seems to have been carrying this patch for a long time already and it is known to be functional. I am reopening for now.  Daniel,  do close this as fixed when you have applied the patch.   Please follow https://fedoraproject.org/wiki/Packaging/Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment and add a comment indicating the origin of the patch, link to comment #10 as well. Thanks.
Comment 13 Fedora Update System 2012-02-07 11:27:41 EST
rssh-2.3.3-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/rssh-2.3.3-2.el6
Comment 14 Fedora Update System 2012-02-07 11:37:24 EST
rssh-2.3.3-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/rssh-2.3.3-2.fc16
Comment 15 Fedora Update System 2012-02-07 17:11:12 EST
Package rssh-2.3.3-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing rssh-2.3.3-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0367/rssh-2.3.3-2.el6
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2012-02-24 18:38:30 EST
rssh-2.3.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2012-03-06 14:25:12 EST
rssh-2.3.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Jef Spaleta 2012-08-13 15:25:48 EDT
ping... this impacts EL5 as well. Would it be okay to push an EL5 update with this patch?


-jef
Comment 19 Brian Carlson 2012-09-21 19:19:05 EDT
Jef, 
Any update if an EL5 update with this patch was made available?  Does anyone know where I can get rssh-2.3.3-2.el5?

-Brian

Note You need to log in before you can comment on or make changes to this bug.