Date: Thu, 10 Jan 2013 22:17:12 +1100 (AEDT) From: John Marshall <john.marshall@riverwillow.com.au> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/175176: [PATCH] shells/rssh Add support for rsync 3 Message-ID: <201301101117.r0ABHC3k023876@rwsrv04.mby.riverwillow.net.au> Resent-Message-ID: <201301101140.r0ABe2qc004011@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 175176 >Category: ports >Synopsis: [PATCH] shells/rssh Add support for rsync 3 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jan 10 11:40:01 UTC 2013 >Closed-Date: >Last-Modified: >Originator: John Marshall >Release: FreeBSD 8.3-RELEASE i386 >Organization: Riverwillow Pty Ltd >Environment: System: FreeBSD rwsrv04.mby.riverwillow.net.au 8.3-RELEASE FreeBSD 8.3-RELEASE #0: Mon Apr 9 08:00:23 AEST 2012 root@rwsrv04.mby.riverwillow.net.au:/build/obj/build/src/sys/RWSRV04 i386 >Description: rssh does not support rsync version 3. See Derek Martin's comments (6 and 10) in this Fedora bug report: https://bugzilla.redhat.com/show_bug.cgi?id=485946 Comments 8 and 12 in that Fedora bug report suggest use of a Debian patch. That Debian patch has been updated to address the CVE-2012-2251 issue, http://www.debian.org/security/2012/dsa-2578 https://bugzilla.redhat.com/show_bug.cgi?id=880177 and is available as the "fixes/rsync-protocol.diff" patch in the Debian rssh 2.3.4-1 patch set: http://patch-tracker.debian.org/package/rssh/2.3.4-1 I have provided a copy of the rssh 2.3.4-1 Debian patch to the rssh 2.3.4 util.c as an optional patch file for this port, understanding that not everybody will want to taint rssh with the patch. >How-To-Repeat: rsync, using a current (version 3) version of rsync, to an account on a remote host configured to use /usr/local/bin/rssh and permitted to use rsync. thishost$ rsync thathost: illegal insecure e option This account is restricted by rssh. Allowed commands: sftp rsync If you believe this is in error, please contact your system administrator. rsync: connection unexpectedly closed (0 bytes received so far) [Receiver] rsync error: error in rsync protocol data stream (code 12) at io.c(605) [Receiver=3.0.9] >Fix: The attached patch: - Modifies Makefile - Add RSYNC3 option - Apply Debian patch if RSYNC3 option selected - (portlint) Update Makefile header lines - Add LICENSE - Adds files/optional-patch-util.c Tested on 8.3-RELEASE (i386 and amd64) --- rssh_2.3.4.diff begins here --- Index: shells/rssh/Makefile =================================================================== --- shells/rssh/Makefile (revision 310171) +++ shells/rssh/Makefile (working copy) @@ -1,25 +1,26 @@ -# New ports collection makefile for: rssh -# Date created: Fri Apr 16 02:04:33 CEST 2004 -# Whom: enigmatyc -# +# Created by: enigmatyc # $FreeBSD$ -# PORTNAME= rssh PORTVERSION= 2.3.4 +PORTREVISION= 1 CATEGORIES= shells security MASTER_SITES= SF MAINTAINER= pav@FreeBSD.org COMMENT= Restricted Secure SHell only for sftp or/and scp +LICENSE= BSD +LICENSE_FILE= ${WRKSRC}/LICENSE + GNU_CONFIGURE= yes MAN1= rssh.1 MAN5= rssh.conf.5 -OPTIONS_DEFINE= RDIST +OPTIONS_DEFINE= RDIST RSYNC3 RDIST_DESC= rdist support +RSYNC3_DESC= Add support for rsync 3 (Debian patch) .include <bsd.port.options.mk> @@ -28,6 +29,10 @@ CONFIGURE_ARGS+=--with-rdist=${LOCALBASE}/bin/rdist6 .endif +.if ${PORT_OPTIONS:MRSYNC3} +EXTRA_PATCHES= ${FILESDIR}/optional-patch-util.c +.endif + post-patch: @${REINPLACE_CMD} -E -e 's,(\$$\(DESTDIR\)\$$\(sysconfdir\)/\$$\$$f),\1.dist,g' \ ${WRKSRC}/Makefile.in Index: shells/rssh/files/optional-patch-util.c =================================================================== --- shells/rssh/files/optional-patch-util.c (revision 0) +++ shells/rssh/files/optional-patch-util.c (working copy) @@ -0,0 +1,103 @@ +--- util.c.orig 2012-11-27 12:14:49.000000000 +1100 ++++ util.c 2013-01-09 17:52:54.000000000 +1100 +@@ -56,6 +56,7 @@ + #ifdef HAVE_LIBGEN_H + #include <libgen.h> + #endif /* HAVE_LIBGEN_H */ ++#include <regex.h> + + /* LOCAL INCLUDES */ + #include "pathnames.h" +@@ -198,6 +199,73 @@ + + + /* ++ * rsync_e_okay() - take the command line passed to rssh and look for an -e ++ * option. If one is found, make sure --server is provided ++ * and the option contains only the protocol information. ++ * Also check for and reject any --rsh option. Returns FALSE ++ * if the command line should not be allowed, TRUE if it is ++ * okay. ++ */ ++static int rsync_e_okay( char **vec ) ++{ ++ regex_t re; ++ int server = FALSE; ++ int e_found = FALSE; ++ ++ /* ++ * rsync will send -e, followed by either just "." (meaning no special ++ * protocol) or "N.N" (meaning a pre-release protocol version), ++ * followed by some number of alphabetic flags indicating various ++ * supported options. There may be other options between - and the e, ++ * but -e will always be the last option in the string. A typical ++ * option passed by the client is "-ltpre.iL". ++ * ++ * Note that if --server is given, this should never be parsed as a ++ * shell, but we'll tightly verify it anyway, just in case. ++ * ++ * This regex matches the acceptable flags containing -e, so if it ++ * does not match, the command line should be rejected. ++ */ ++ static const char pattern[] ++ = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$"; ++ ++ /* ++ * Only recognize --server if it's the first option. rsync itself ++ * always passes it that way, and if it's not the first argument, it ++ * could be hidden from the server as an argument to some other ++ * option. ++ */ ++ if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){ ++ server = TRUE; ++ } ++ ++ /* Check the remaining options for -e or --rsh. */ ++ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){ ++ return FALSE; ++ } ++ while (vec && *vec){ ++ if ( strcmp(*vec, "--") == 0 ) break; ++ if ( strcmp(*vec, "--rsh") == 0 ++ || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){ ++ regfree(&re); ++ return FALSE; ++ } ++ if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){ ++ e_found = TRUE; ++ if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){ ++ regfree(&re); ++ return FALSE; ++ } ++ } ++ vec++; ++ } ++ regfree(&re); ++ if ( e_found && !server ) return FALSE; ++ return TRUE; ++} ++ ++ ++/* + * check_command_line() - take the command line passed to rssh, and verify + * that the specified command is one the user is + * allowed to run and validate the arguments. Return the +@@ -230,14 +298,10 @@ + + if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){ + /* filter -e option */ +- if ( opt_filter(cl, 'e') ) return NULL; +- while (cl && *cl){ +- if ( strstr(*cl, "--rsh" ) ){ +- fprintf(stderr, "\ninsecure --rsh= not allowed."); +- log_msg("insecure --rsh option in rsync command line!"); +- return NULL; +- } +- cl++; ++ if ( !rsync_e_okay(cl) ){ ++ fprintf(stderr, "\ninsecure -e or --rsh option not allowed."); ++ log_msg("insecure -e or --rsh option in rsync command line!"); ++ return NULL; + } + return PATH_RSYNC; + } --- rssh_2.3.4.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301101117.r0ABHC3k023876>