rssh/sme7/rssh-2.3.3-rsync-protocol.patch

As of rsync 3, rsync reused the -e option to pass protocol information
from the client to the server.  We therefore cannot reject all -e
options to rsync, only ones not sent with --server or containing
something other than protocol information as an argument.

Based on work by Robert Hardy.

Debian Bug#471803

--- rssh.orig/util.c
+++ rssh/util.c
@@ -56,6 +56,7 @@
 #ifdef HAVE_LIBGEN_H
 #include <libgen.h>
 #endif /* HAVE_LIBGEN_H */
+#include <regex.h>
 
 /* LOCAL INCLUDES */
 #include "pathnames.h"
@@ -187,6 +188,33 @@
 }
 
 /*
+ * check_rsync_e() - take the command line passed to rssh and look for a -e
+ *                   option.  If one is found, make sure --server is provided
+ *                   and the option contains only the protocol information.
+ *                   Returns 1 if the command line is safe; 0 otherwise.
+ */
+static int check_rsync_e( char *cl )
+{
+       int     status;
+       regex_t re;
+
+       /*
+        * This is more complicated than it looks because we don't want to
+        * trigger on the e in --server, but we do want to catch the common
+        * case of -ltpre.iL (which contains -e.).
+        */
+       static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
+
+       if ( strstr(cl, "--server") == NULL ) return 0;
+       if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
+               return 0;
+       }
+       status = regexec(&re, cl, 0, NULL, 0);
+       regfree(&re);
+       return (status == 0) ? 0 : 1;
+}
+
+/*
  * check_command_line() - take the command line passed to rssh, and verify
  *                       that the specified command is one the user is
  *                       allowed to run.  Return the path of the command
@@ -230,9 +258,9 @@
 
        if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
                /* filter -e option */
-               if ( opt_exist(cl, 'e') ){
+               if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
                        fprintf(stderr, "\ninsecure -e option not allowed.");
-                       log_msg("insecure -e option in rdist command line!");
+                       log_msg("insecure -e option in rsync command line!");
                        return NULL;
                }
                
1	slords	1.1	As of rsync 3, rsync reused the -e option to pass protocol information
2			from the client to the server. We therefore cannot reject all -e
3			options to rsync, only ones not sent with --server or containing
4			something other than protocol information as an argument.
5
6			Based on work by Robert Hardy.
7
8			Debian Bug#471803
9
10			--- rssh.orig/util.c
11			+++ rssh/util.c
12			@@ -56,6 +56,7 @@
13			#ifdef HAVE_LIBGEN_H
14			#include <libgen.h>
15			#endif /* HAVE_LIBGEN_H */
16			+#include <regex.h>
17
18			/* LOCAL INCLUDES */
19			#include "pathnames.h"
20			@@ -187,6 +188,33 @@
21			}
22
23			/*
24			+ * check_rsync_e() - take the command line passed to rssh and look for a -e
25			+ * option. If one is found, make sure --server is provided
26			+ * and the option contains only the protocol information.
27			+ * Returns 1 if the command line is safe; 0 otherwise.
28			+ */
29			+static int check_rsync_e( char *cl )
30			+{
31			+ int status;
32			+ regex_t re;
33			+
34			+ /*
35			+ * This is more complicated than it looks because we don't want to
36			+ * trigger on the e in --server, but we do want to catch the common
37			+ * case of -ltpre.iL (which contains -e.).
38			+ */
39			+ static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
40			+
41			+ if ( strstr(cl, "--server") == NULL ) return 0;
42			+ if ( regcomp(&re, pattern, REG_EXTENDED \| REG_NOSUB) != 0 ){
43			+ return 0;
44			+ }
45			+ status = regexec(&re, cl, 0, NULL, 0);
46			+ regfree(&re);
47			+ return (status == 0) ? 0 : 1;
48			+}
49			+
50			+/*
51			* check_command_line() - take the command line passed to rssh, and verify
52			* that the specified command is one the user is
53			* allowed to run. Return the path of the command
54			@@ -230,9 +258,9 @@
55
56			if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
57			/* filter -e option */
58			- if ( opt_exist(cl, 'e') ){
59			+ if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
60			fprintf(stderr, "\ninsecure -e option not allowed.");
61			- log_msg("insecure -e option in rdist command line!");
62			+ log_msg("insecure -e option in rsync command line!");
63			return NULL;
64			}
65