Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

rsync.permissions.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Rsync 2.3.1 fixes a security hole affecting home directory permissions during transfers.

Show more
Code
`Date: Wed, 7 Apr 1999 22:21:30 +1000  
From: Andrew Tridgell <[email protected]>  
To: [email protected]  
Subject: rsync 2.3.1 release - security fix  
  
I discovered a security hole in rsync yesterday and have released  
rsync 2.3.1 to fix it.  
  
The new version and patches against the last version are available at  
http://rsync.samba.org/ or ftp://rsync.samba.org/pub/rsync/  
  
The problem happened when all of these conditions held true:  
  
1) the source file list contains exactly one filename and that  
is the name of an empty directory  
2) the source directory name is specified on the command line  
as "somedir/" or "somedir/." or "." not as "somedir"  
3) the destination directory doesn't exist  
4) you have recursion and permission transfer enabled (the -a option  
will do this)  
5) the working directory of the receiving process is not the  
destination directory (this happens when you do remote rsync  
transfers)  
  
(the short summary is that you need to be transferring an empty  
directory into a non-existent directory)  
  
In that case (which is quite rare) the permissions from the empty  
directory in the source file list were set on the working directory of  
the receiving process. In the case of a remote rsync over rsh or ssh  
this means that the permissions on your home directory are changed to  
those of the empty directory you are transferring.  
  
This is a serious bug (and security hole) as it may change your home  
directory permissions to allow other users access to your files. A  
user can't exploit this hole deliberately to gain privileges (ie. this  
is not an "active" security hole) but a system administrator could  
easily be caught by the bug and inadvertently compromise the security  
of their system.  
  
To see if you have been hit by this bug you should look at the  
permissions on your home directory. If they are not what you expect  
then perhaps you have been bitten by this bug.  
  
The fix is to chmod your home directory back to the correct  
permissions and upgrade to rsync 2.3.1. The bug is in the receiving  
side of rsync, so it is quite safe to continue to use older anonymous  
rsync servers as long as you upgrade your client.  
  
This bug has been present in all versions of rsync. I apologize for  
any inconvenience.  
  
Tridge  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
rsync security fixempty directory permissionsremote rsync transferdirectory access changebug exploit risk
23
.json
Report