[snip] Similar tricks can be played with rsync (create an rsyncd.conf with a pre-xfer exec or post-xfer exec option; start a daemon, and connect to it) and unison (provided that you can create files in ~/.unison, which is quite likely). [snip] Additional information: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148
rsync support disabled in devel since this is a security issue. warren, I'd like to get your permission before pushing to other releases as it would be a feature that is going away. If you think that removing the feature for released distro versions would be disruptive we could look at backporting the fixes talked about in the Debian bug report. They don't close the hole for the svn case but they are supposed to close it for rsync. (Might want to review it, though).
For rsync specifically, scponly is insecure only if you use a non-default option in rsyncd.conf? You are clearly shooting yourself in the foot if you set those options. (no opinion yet, need time to fully review the Debian bug)
AIUI, you can upload an rsyncd.conf file from your local machine using scponly. Then, using the rsync passthrough feature of scponly start an rsync daemon that uses the uploaded rsyncd.conf file. Since rsync has config options that let you invoke a program, this lets the user escape the constraints of scponly.
Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350
(In reply to comment #4) > Note http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6350 scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute code by invoking dangerous subcommands including (1) unison, (2) rsync, and (3) svn , as originally demonstrated by creating a Subversion (SVN) repository with malicious hooks, then using svn to trigger execution of those hooks. Fedora packages in F7 and F8 are only compiled to support rsync. unison and svn compatibility is not enabled / compiled in.
Converting to Security Response bug.
scponly-4.6-10.fc8 has been submitted as an update for Fedora 8
scponly-4.6-10.fc7 has been submitted as an update for Fedora 7
scponly-4.6-10.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
scponly-4.6-10.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1728 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-1743