Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 485946 - rssh doesn't accept rsync
Summary: rssh doesn't accept rsync
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rssh
Version: 10
Hardware: x86_64
OS: Linux
low
high
Target Milestone: ---
Assignee: Rahul Sundaram
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 878113
TreeView+ depends on / blocked
 
Reported: 2009-02-17 16:16 UTC by Patrick Pichon
Modified: 2013-03-13 05:44 UTC (History)
9 users (show)

Fixed In Version: rssh-2.3.3-2.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 878113 (view as bug list)
Environment:
Last Closed: 2012-02-24 23:38:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
quick patch to fix the rsync problem (1.25 KB, patch)
2009-02-17 18:33 UTC, Lyonel Vincent
no flags Details | Diff

Description Patrick Pichon 2009-02-17 16:16:30 UTC
Description of problem:
rssh doesn't allow rsync working when using "ssh on an alternate port" even if rsync is authorized in the rssh configuration file.

Version-Release number of selected component (if applicable):
rssh 2.3.1

How reproducible:
see the steps here after

Steps to Reproduce:
1. configure a test user
2. configure rssh on your system. edit /etc/rssh.conf and add user=test:011:10011:
2. enable that use to ssh (if you have put restriction).  
3. enable sshd to listen on an alternate port ( like 2522 ) - restart sshd
4. create a file name dummy2transfert
4. rsync -a -r -v -e 'ssh -p 2522' ./dummy2transfert  test@localhost:/tmp 




Actual results:
Nothing is transferred and you get the following error message:
insecure -e option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp rsync

If you believe this is in error, please contact your system administrator.

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5]

Expected results:
rsync is done and the the file dummy2transfert is copied to /tmp

Additional info:
Extract from /var/log/secure

Feb 17 16:51:25 100-souci sshd[29633]: Accepted password for test from 127.0.0.1 port 59128 ssh2
Feb 17 16:51:25 100-souci sshd[29633]: pam_unix(sshd:session): session opened for user test by (uid=0)
Feb 17 16:51:25 100-souci sshd[29633]: pam_unix(sshd:session): session closed for user test


Extract from /var/log/messages
Feb 17 16:50:16 100-souci rssh[29626]: setting log facility to LOG_USER
Feb 17 16:50:16 100-souci rssh[29626]: setting umask to 022
Feb 17 16:50:16 100-souci rssh[29626]: line 52: configuring user test
Feb 17 16:50:16 100-souci rssh[29626]: setting test's umask to 011
Feb 17 16:50:16 100-souci rssh[29626]: allowing scp to user test
Feb 17 16:50:16 100-souci rssh[29626]: allowing sftp to user test
Feb 17 16:50:16 100-souci rssh[29626]: allowing rsync to user test
Feb 17 16:50:16 100-souci rssh[29626]: insecure -e option in rdist command line!
Feb 17 16:50:16 100-souci rssh[29626]: user test attempted to execute forbidden commands
Feb 17 16:50:16 100-souci rssh[29626]: command: rsync --server -vlogDtpre.iLs . /tmp

Comment 1 Patrick Pichon 2009-02-17 16:37:54 UTC
I did further investigations, and even whithout using an alternate port the problem is there.


%rsync -a -r -v ./readme  pichon@localhost:/tmp
pichon@localhost's password: 

insecure -e option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp cvs rdist rsync

If you believe this is in error, please contact your system administrator.

rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(600) [sender=3.0.5]


Few remarks:
- The error message report 'rdist" where I use 'rsync' command
- it reports an insecure "-e option not allowed" where I have used only "-a -r -v"

Comment 2 Rahul Sundaram 2009-02-17 18:05:28 UTC
Would you mind reporting the problem directly upstream?

https://lists.sourceforge.net/lists/listinfo/rssh-discuss

We don't carry any patches so it is unlikely to be a Fedora specific issue.

Comment 3 Lyonel Vincent 2009-02-17 18:33:16 UTC
Created attachment 332270 [details]
quick patch to fix the rsync problem

Comment 4 Lyonel Vincent 2009-02-17 19:22:41 UTC
There doesn't seem to be much upstream development (source code is very old), despite active mailing lists.

Comment 5 Rahul Sundaram 2009-02-17 19:40:20 UTC
True to some extend. The primary developer is still responsive to issues and has shown interest in reviewing patches in the past so I am still in favour of discussing this issue in the upstream mailing list rather than just patch something in Fedora. This is especially the case here since it is a security sensitive software.

Also since you seem interested enough to write a patch, you might consider being a co-maintainer of this package in Fedora. 

http://fedoraproject.org/wiki/PackageMaintainers/Join

Drop me a mail if you need further details.

Comment 6 Derek Martin 2009-02-18 14:31:42 UTC
Hi Rahul...  Mainly these days I concern myself with security-related issues.  I'm not really working on rssh, and I'm not really accepting patches except for non-trivial security holes.  For mainly that reason, but also because I think it was irresponsible for the rsync maintainers to overload an option which was intended to allow execution of arbitrary programs to also send protocol information, I won't be adding any patches related to supporting rsync 3.  That said, I do see the value in doing so, so if you feel it is appropriate by all means add the patch.

Comment 7 Rahul Sundaram 2009-02-18 19:54:18 UTC
Thanks for the feedback. Appreciate it. Can you quick look at the patch and confirm it is ok? I will be willing to add it as a downstream patch then.

Comment 8 Lyonel Vincent 2009-02-18 21:09:48 UTC
Hi Rahul,

Maybe we can just use the same patch as Debian; it looks more generic (and probably more tested)...

http://patch-tracking.debian.net/patch/series/view/rssh/2.3.2-8/rsync-protocol

Comment 9 Rahul Sundaram 2009-02-18 21:21:10 UTC
Yeah, rssh was primarily imported for OLPC and I think, they wanted the patch too. I will be offline till Monday but I will try to coordinate and get this done asap.Thanks.

Comment 10 Derek Martin 2009-02-20 01:27:32 UTC
(In reply to comment #7)
> Thanks for the feedback. Appreciate it. Can you quick look at the patch and
> confirm it is ok? I will be willing to add it as a downstream patch then.

To be honest, I really don't want to. :)  That's the main reason I've all but abandoned the project...  It's not dead exactly, but I'm only interested in fixing serious security issues.  Aside from that, I really don't want to spend any time on this thing.  I'd be rather happy if someone who cared would take over maintenance of it, in fact, so people will stop bothering me about it... ;-)  

While I may have exaggerated the grossness of the rsync maintainers' decision to overload command-line options in my last response, I do think it's gross, tainting an otherwise excellent peice of software.  And I think people's time would be more appropriately (though likely more futilely) spent convincing them to fix their backward-compaitibility problem a different way that's less gross.  It's worth pointing out that rssh is not the only program that rejects command lines that contain unapproved strings in an effort to enforce security (sudo, ssh, other restricted shells, and other programs have features that do this too).  In sending protocol information with -e (both harmless and now necessary),  overloading an option whose original purpose was to allow arbitrary execution of programs (neithre harmless nor necessary), they've exercised poor judgment and made things more difficult for sysadmins who have a need to try to secure the use of their tool.

Comment 11 Rahul Sundaram 2009-03-30 10:05:48 UTC
I think, I will not add this patch for now. If OLPC wants it, I will reconsider picking up the patch from Debian later. Thanks for all your input.

Comment 12 Rahul Sundaram 2012-02-06 22:24:14 UTC
Daniel Drake just mailed me that he needs this for OLPC and it is important for them.   I still would very much prefer if rssh upstream accepted it but that doesn't seem like it is happening but atleast in this case Debian seems to have been carrying this patch for a long time already and it is known to be functional. I am reopening for now.  Daniel,  do close this as fixed when you have applied the patch.   Please follow https://fedoraproject.org/wiki/Packaging/Guidelines#All_patches_should_have_an_upstream_bug_link_or_comment and add a comment indicating the origin of the patch, link to comment #10 as well. Thanks.

Comment 13 Fedora Update System 2012-02-07 16:27:41 UTC
rssh-2.3.3-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/rssh-2.3.3-2.el6

Comment 14 Fedora Update System 2012-02-07 16:37:24 UTC
rssh-2.3.3-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/rssh-2.3.3-2.fc16

Comment 15 Fedora Update System 2012-02-07 22:11:12 UTC
Package rssh-2.3.3-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing rssh-2.3.3-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-0367/rssh-2.3.3-2.el6
then log in and leave karma (feedback).

Comment 16 Fedora Update System 2012-02-24 23:38:30 UTC
rssh-2.3.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2012-03-06 19:25:12 UTC
rssh-2.3.3-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Jef Spaleta 2012-08-13 19:25:48 UTC
ping... this impacts EL5 as well. Would it be okay to push an EL5 update with this patch?


-jef

Comment 19 Brian Carlson 2012-09-21 23:19:05 UTC
Jef, 
Any update if an EL5 update with this patch was made available?  Does anyone know where I can get rssh-2.3.3-2.el5?

-Brian


Note You need to log in before you can comment on or make changes to this bug.