ports/175176: [PATCH] shells/rssh Add support for rsync 3

John Marshall john.marshall at riverwillow.com.au
Thu Jan 10 11:40:02 UTC 2013 

>Number:         175176
>Category:       ports
>Synopsis:       [PATCH] shells/rssh Add support for rsync 3
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 10 11:40:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     John Marshall
>Release:        FreeBSD 8.3-RELEASE i386
>Organization:
Riverwillow Pty Ltd
>Environment:
System: FreeBSD rwsrv04.mby.riverwillow.net.au 8.3-RELEASE FreeBSD 8.3-RELEASE #0: Mon Apr 9 08:00:23 AEST 2012 root at rwsrv04.mby.riverwillow.net.au:/build/obj/build/src/sys/RWSRV04 i386


	
>Description:

rssh does not support rsync version 3.  See Derek Martin's comments (6
and 10) in this Fedora bug report:

 https://bugzilla.redhat.com/show_bug.cgi?id=485946

Comments 8 and 12 in that Fedora bug report suggest use of a Debian
patch.  That Debian patch has been updated to address the CVE-2012-2251
issue,

 http://www.debian.org/security/2012/dsa-2578
 https://bugzilla.redhat.com/show_bug.cgi?id=880177

and is available as the "fixes/rsync-protocol.diff" patch in the Debian
rssh 2.3.4-1 patch set:

 http://patch-tracker.debian.org/package/rssh/2.3.4-1

I have provided a copy of the rssh 2.3.4-1 Debian patch to the rssh
2.3.4 util.c as an optional patch file for this port, understanding that
not everybody will want to taint rssh with the patch.

>How-To-Repeat:

rsync, using a current (version 3) version of rsync, to an account on a
remote host configured to use /usr/local/bin/rssh and permitted to use
rsync.

 thishost$ rsync thathost:

 illegal insecure e option
 This account is restricted by rssh.
 Allowed commands: sftp rsync

 If you believe this is in error, please contact your system administrator.

 rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
 rsync error: error in rsync protocol data stream (code 12) at io.c(605) [Receiver=3.0.9]

>Fix:

The attached patch:

 - Modifies Makefile
   - Add RSYNC3 option
   - Apply Debian patch if RSYNC3 option selected
   - (portlint) Update Makefile header lines
   - Add LICENSE

 - Adds files/optional-patch-util.c

Tested on 8.3-RELEASE (i386 and amd64)

--- rssh_2.3.4.diff begins here ---
Index: shells/rssh/Makefile
===================================================================
--- shells/rssh/Makefile	(revision 310171)
+++ shells/rssh/Makefile	(working copy)
@@ -1,25 +1,26 @@
-# New ports collection makefile for:	rssh
-# Date created:				Fri Apr 16 02:04:33 CEST 2004
-# Whom:					enigmatyc
-#
+# Created by: enigmatyc
 # $FreeBSD$
-#
 
 PORTNAME=	rssh
 PORTVERSION=	2.3.4
+PORTREVISION=	1
 CATEGORIES=	shells security
 MASTER_SITES=	SF
 
 MAINTAINER=	pav at FreeBSD.org
 COMMENT=	Restricted Secure SHell only for sftp or/and scp
 
+LICENSE=	BSD
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
 GNU_CONFIGURE=	yes
 
 MAN1=		rssh.1
 MAN5=		rssh.conf.5
 
-OPTIONS_DEFINE=	RDIST
+OPTIONS_DEFINE=	RDIST RSYNC3
 RDIST_DESC=	rdist support
+RSYNC3_DESC=	Add support for rsync 3 (Debian patch)
 
 .include <bsd.port.options.mk>
 
@@ -28,6 +29,10 @@
 CONFIGURE_ARGS+=--with-rdist=${LOCALBASE}/bin/rdist6
 .endif
 
+.if ${PORT_OPTIONS:MRSYNC3}
+EXTRA_PATCHES=	${FILESDIR}/optional-patch-util.c
+.endif
+
 post-patch:
 	@${REINPLACE_CMD} -E -e 's,(\$$\(DESTDIR\)\$$\(sysconfdir\)/\$$\$$f),\1.dist,g' \
 		${WRKSRC}/Makefile.in
Index: shells/rssh/files/optional-patch-util.c
===================================================================
--- shells/rssh/files/optional-patch-util.c	(revision 0)
+++ shells/rssh/files/optional-patch-util.c	(working copy)
@@ -0,0 +1,103 @@
+--- util.c.orig	2012-11-27 12:14:49.000000000 +1100
++++ util.c	2013-01-09 17:52:54.000000000 +1100
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif /* HAVE_LIBGEN_H */
++#include <regex.h>
+ 
+ /* LOCAL INCLUDES */
+ #include "pathnames.h"
+@@ -198,6 +199,73 @@
+ 
+ 
+ /*
++ * rsync_e_okay() - take the command line passed to rssh and look for an -e
++ *		    option.  If one is found, make sure --server is provided
++ *		    and the option contains only the protocol information.
++ *		    Also check for and reject any --rsh option.	 Returns FALSE
++ *		    if the command line should not be allowed, TRUE if it is
++ *		    okay.
++ */
++static int rsync_e_okay( char **vec )
++{
++	regex_t	re;
++	int	server = FALSE;
++	int	e_found = FALSE;
++
++	/*
++	 * rsync will send -e, followed by either just "." (meaning no special
++	 * protocol) or "N.N" (meaning a pre-release protocol version),
++	 * followed by some number of alphabetic flags indicating various
++	 * supported options.  There may be other options between - and the e,
++	 * but -e will always be the last option in the string.	 A typical
++	 * option passed by the client is "-ltpre.iL".
++	 *
++	 * Note that if --server is given, this should never be parsed as a
++	 * shell, but we'll tightly verify it anyway, just in case.
++	 *
++	 * This regex matches the acceptable flags containing -e, so if it
++	 * does not match, the command line should be rejected.
++	 */
++	static const char pattern[]
++	    = "^-[a-df-zA-Z]*e[0-9]*\\.[0-9]*[a-zA-Z]*$";
++
++	/*
++	 * Only recognize --server if it's the first option.  rsync itself
++	 * always passes it that way, and if it's not the first argument, it
++	 * could be hidden from the server as an argument to some other
++	 * option.
++	 */
++	if ( vec && vec[0] && vec[1] && strcmp(vec[1], "--server") == 0 ){
++		server = TRUE;
++	}
++
++	/* Check the remaining options for -e or --rsh. */
++	if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
++		return FALSE;
++	}
++	while (vec && *vec){
++		if ( strcmp(*vec, "--") == 0 ) break;
++		if ( strcmp(*vec, "--rsh") == 0
++		     || strncmp(*vec, "--rsh=", strlen("--rsh=")) == 0 ){
++			regfree(&re);
++			return FALSE;
++		}
++		if ( strncmp(*vec, "--", 2) != 0 && opt_exist(*vec, 'e') ){
++			e_found = TRUE;
++			if ( regexec(&re, *vec, 0, NULL, 0) != 0 ){
++				regfree(&re);
++				return FALSE;
++			}
++		}
++		vec++;
++	}
++	regfree(&re);
++	if ( e_found && !server ) return FALSE;
++	return TRUE;
++}
++
++
++/*
+  * check_command_line() - take the command line passed to rssh, and verify
+  *			  that the specified command is one the user is
+  *			  allowed to run and validate the arguments.  Return the
+@@ -230,14 +298,10 @@
+ 
+ 	if ( check_command(*cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+ 		/* filter -e option */
+-		if ( opt_filter(cl, 'e') ) return NULL;
+-		while (cl && *cl){
+-			if ( strstr(*cl, "--rsh" ) ){
+-				fprintf(stderr, "\ninsecure --rsh= not allowed.");
+-				log_msg("insecure --rsh option in rsync command line!");
+-				return NULL;
+-			}
+-			cl++;
++		if ( !rsync_e_okay(cl) ){
++			fprintf(stderr, "\ninsecure -e or --rsh option not allowed.");
++			log_msg("insecure -e or --rsh option in rsync command line!");
++			return NULL;
+ 		}
+ 		return PATH_RSYNC;
+ 	}
--- rssh_2.3.4.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list