Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 878113

Summary: rssh doesn't accept rsync
Product: [Fedora] Fedora EPEL Reporter: Jason Bradley Nance <jbnance>
Component: rsshAssignee: Xavier Bachelot <xavier>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: el5CC: brian.carlson, code, jspaleta, jvonau3, lyonel, metherid, patrick.pichon, smohan, xavier
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rssh-2.3.4-1.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 485946 Environment:
Last Closed: 2014-10-17 17:37:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 485946    
Bug Blocks:    

Description Jason Bradley Nance 2012-11-19 16:57:22 UTC
+++ This bug was initially created as a clone of Bug #485946 +++

Description of problem:
rssh doesn't allow rsync working when using "ssh on an alternate port" even if rsync is authorized in the rssh configuration file.

Version-Release number of selected component (if applicable):
rssh 2.3.1

How reproducible:
see the steps here after

Steps to Reproduce:
1. configure a test user
2. configure rssh on your system. edit /etc/rssh.conf and add user=test:011:10011:
2. enable that use to ssh (if you have put restriction).  
3. enable sshd to listen on an alternate port ( like 2522 ) - restart sshd
4. create a file name dummy2transfert
4. rsync -a -r -v -e 'ssh -p 2522' ./dummy2transfert  test@localhost:/tmp 




Actual results:
Nothing is transferred and you get the following error message:
insecure -e option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp rsync

If you believe this is in error, please contact your system administrator.

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5]

Expected results:
rsync is done and the the file dummy2transfert is copied to /tmp

Additional info:
Extract from /var/log/secure

Feb 17 16:51:25 100-souci sshd[29633]: Accepted password for test from 127.0.0.1 port 59128 ssh2
Feb 17 16:51:25 100-souci sshd[29633]: pam_unix(sshd:session): session opened for user test by (uid=0)
Feb 17 16:51:25 100-souci sshd[29633]: pam_unix(sshd:session): session closed for user test


Extract from /var/log/messages
Feb 17 16:50:16 100-souci rssh[29626]: setting log facility to LOG_USER
Feb 17 16:50:16 100-souci rssh[29626]: setting umask to 022
Feb 17 16:50:16 100-souci rssh[29626]: line 52: configuring user test
Feb 17 16:50:16 100-souci rssh[29626]: setting test's umask to 011
Feb 17 16:50:16 100-souci rssh[29626]: allowing scp to user test
Feb 17 16:50:16 100-souci rssh[29626]: allowing sftp to user test
Feb 17 16:50:16 100-souci rssh[29626]: allowing rsync to user test
Feb 17 16:50:16 100-souci rssh[29626]: insecure -e option in rdist command line!
Feb 17 16:50:16 100-souci rssh[29626]: user test attempted to execute forbidden commands
Feb 17 16:50:16 100-souci rssh[29626]: command: rsync --server -vlogDtpre.iLs . /tmp

--- Additional comment from Patrick Pichon on 2009-02-17 11:37:54 EST ---

I did further investigations, and even whithout using an alternate port the problem is there.


%rsync -a -r -v ./readme  pichon@localhost:/tmp
pichon@localhost's password: 

insecure -e option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp cvs rdist rsync

If you believe this is in error, please contact your system administrator.

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5]


Few remarks:
- The error message report 'rdist" where I use 'rsync' command
- it reports an insecure "-e option not allowed" where I have used only "-a -r -v"

--- Additional comment from Rahul Sundaram on 2009-02-17 13:05:28 EST ---

Would you mind reporting the problem directly upstream?

https://lists.sourceforge.net/lists/listinfo/rssh-discuss

We don't carry any patches so it is unlikely to be a Fedora specific issue.

--- Additional comment from Lyonel Vincent on 2009-02-17 13:33:16 EST ---

Created attachment 332270 [details]
quick patch to fix the rsync problem

--- Additional comment from Lyonel Vincent on 2009-02-17 14:22:41 EST ---

There doesn't seem to be much upstream development (source code is very old), despite active mailing lists.

--- Additional comment from Rahul Sundaram on 2009-02-17 14:40:20 EST ---

True to some extend. The primary developer is still responsive to issues and has shown interest in reviewing patches in the past so I am still in favour of discussing this issue in the upstream mailing list rather than just patch something in Fedora. This is especially the case here since it is a security sensitive software.

Also since you seem interested enough to write a patch, you might consider being a co-maintainer of this package in Fedora. 

http://fedoraproject.org/wiki/PackageMaintainers/Join

Drop me a mail if you need further details.

--- Additional comment from Derek Martin on 2009-02-18 09:31:42 EST ---

Hi Rahul...  Mainly these days I concern myself with security-related issues.  I'm not really working on rssh, and I'm not really accepting patches except for non-trivial security holes.  For mainly that reason, but also because I think it was irresponsible for the rsync maintainers to overload an option which was intended to allow execution of arbitrary programs to also send protocol information, I won't be adding any patches related to supporting rsync 3.  That said, I do see the value in doing so, so if you feel it is appropriate by all means add the patch.

--- Additional comment from Rahul Sundaram on 2009-02-18 14:54:18 EST ---

Thanks for the feedback. Appreciate it. Can you quick look at the patch and confirm it is ok? I will be willing to add it as a downstream patch then.

--- Additional comment from Lyonel Vincent on 2009-02-18 16:09:48 EST ---

Hi Rahul,

Maybe we can just use the same patch as Debian; it looks more generic (and probably more tested)...

http://patch-tracking.debian.net/patch/series/view/rssh/2.3.2-8/rsync-protocol

--- Additional comment from Rahul Sundaram on 2009-02-18 16:21:10 EST ---

Yeah, rssh was primarily imported for OLPC and I think, they wanted the patch too. I will be offline till Monday but I will try to coordinate and get this done asap.Thanks.

--- Additional comment from Derek Martin on 2009-02-19 20:27:32 EST ---

(In reply to comment #7)
> Thanks for the feedback. Appreciate it. Can you quick look at the patch and
> confirm it is ok? I will be willing to add it as a downstream patch then.

To be honest, I really don't want to. :)  That's the main reason I've all but abandoned the project...  It's not dead exactly, but I'm only interested in fixing serious security issues.  Aside from that, I really don't want to spend any time on this thing.  I'd be rather happy if someone who cared would take over maintenance of it, in fact, so people will stop bothering me about it... ;-)  

While I may have exaggerated the grossness of the rsync maintainers' decision to overload command-line options in my last response, I do think it's gross, tainting an otherwise excellent peice of software.  And I think people's time would be more appropriately (though likely more futilely) spent convincing them to fix their backward-compaitibility problem a different way that's less gross.  It's worth pointing out that rssh is not the only program that rejects command lines that contain unapproved strings in an effort to enforce security (sudo, ssh, other restricted shells, and other programs have features that do this too).  In sending protocol information with -e (both harmless and now necessary),  overloading an option whose original purpose was to allow arbitrary execution of programs (neithre harmless nor necessary), they've exercised poor judgment and made things more difficult for sysadmins who have a need to try to secure the use of their tool.

--- Additional comment from Rahul Sundaram on 2009-03-30 06:05:48 EDT ---

I think, I will not add this patch for now. If OLPC wants it, I will reconsider picking up the patch from Debian later. Thanks for all your input.

--- Additional comment from Rahul Sundaram on 2012-02-06 17:24:14 EST ---


Daniel Drake just mailed me that he needs this for OLPC and it is important for them.   I still would very much prefer if rssh upstream accepted it but that doesn't seem like it is happening but atleast in this case Debian seems to have been carrying this patch for a long time already and it is known to be functional. I am reopening for now.  Daniel,  do close this as fixed when you have applied the patch.   Please follow https://fedoraproject.org/wiki/Packaging/Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment and add a comment indicating the origin of the patch, link to comment #10 as well. Thanks.

--- Additional comment from Fedora Update System on 2012-02-07 11:27:41 EST ---

rssh-2.3.3-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/rssh-2.3.3-2.el6

--- Additional comment from Fedora Update System on 2012-02-07 11:37:24 EST ---

rssh-2.3.3-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/rssh-2.3.3-2.fc16

--- Additional comment from Fedora Update System on 2012-02-07 17:11:12 EST ---

Package rssh-2.3.3-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing rssh-2.3.3-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0367/rssh-2.3.3-2.el6
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2012-02-24 18:38:30 EST ---

rssh-2.3.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2012-03-06 14:25:12 EST ---

rssh-2.3.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from Jef Spaleta on 2012-08-13 15:25:48 EDT ---

ping... this impacts EL5 as well. Would it be okay to push an EL5 update with this patch?


-jef

--- Additional comment from Brian Carlson on 2012-09-21 19:19:05 EDT ---

Jef, 
Any update if an EL5 update with this patch was made available?  Does anyone know where I can get rssh-2.3.3-2.el5?

-Brian

Comment 1 Jason Bradley Nance 2012-11-19 16:58:31 UTC
Original bug was opened for EL6 and has been closed.  Merely need a patch/rebuild of the EL5 RPMs (same patch).

Comment 2 Fedora Update System 2014-09-30 18:22:12 UTC
rssh-2.3.4-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/rssh-2.3.4-1.el5

Comment 3 Fedora Update System 2014-10-01 17:18:34 UTC
Package rssh-2.3.4-1.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing rssh-2.3.4-1.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3041/rssh-2.3.4-1.el5
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-10-17 17:37:10 UTC
rssh-2.3.4-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.