Skip to content

Commit 97e02bf

Browse files
committed
Some "use chroot" improvements.
- The sanitize_paths variable was set too often. It only needs to be set when the "inner" path is not "/". This change avoids sanitizing & munging things for a path=/ module just because chroot is off. - The default for "use chroot" is now "unset" instead of "true". When unset it checks if chrooting works, and if not, it proceeds with a sanitized copy instead of totally failing to work. This makes it easier to setup a non-root rsync daemon, for instance. It will have no effect on a typical Linux root-run daemon where the default will continue to use chroot (because chrooting works). A config file can explicitly set "use chroot = true | false" to force the choice. - Try to improve the "use chroot" manpage.
1 parent 77d762c commit 97e02bf

File tree

4 files changed

+84
-41
lines changed

4 files changed

+84
-41
lines changed

NEWS.md

+13
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@
88

99
- When rsync gets an unpack error on an ACL, mention the filename.
1010

11+
- Avoid oversetting sanitize_paths when a daemon is serving "/" (even if
12+
"use chroot" is false).
13+
1114
### ENHANCEMENTS:
1215

1316
- Added negotiated daemon-auth support that allows a stronger checksum digest
@@ -32,6 +35,11 @@
3235
converted. Newer rsync versions will provide more complete info than older
3336
versions.
3437

38+
- The [`use chroot`](#rsyncd.conf) daemon parameter now defaults to "unset" so
39+
that rsync can test if chrooting works and decide to proceed with a sanitized
40+
copy if chroot is not supported (e.g., for a non-root daemon). Explicitly
41+
setting it to true or false (on or off) behaves the same way as before.
42+
3543
### PACKAGING RELATED:
3644

3745
- The checksum code now uses openssl's EVP methods, which gets rid of various
@@ -49,6 +57,11 @@
4957
configured path in the OPENSSL_CONF environment variable (when the variable
5058
is not already set). This will enable openssl's MD4 code for rsync to use.
5159

60+
- The packager may wish to include an explicit "use chroot = true" in the top
61+
section of the /etc/rsyncd.conf file if the daemon is being installed to run
62+
as the root user (though rsync should behave the same even with the value
63+
unset, a little extra paranoia doesn't hurt).
64+
5265
------------------------------------------------------------------------------
5366

5467
# NEWS for rsync 3.2.6 (9 Sep 2022)

clientserver.c

+23-17
Original file line numberDiff line numberDiff line change
@@ -701,7 +701,7 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
701701
int set_uid;
702702
char *p, *err_msg = NULL;
703703
char *name = lp_name(i);
704-
int use_chroot = lp_use_chroot(i);
704+
int use_chroot = lp_use_chroot(i); /* might be 1 (yes), 0 (no), or -1 (unset) */
705705
int ret, pre_exec_arg_fd = -1, pre_exec_error_fd = -1;
706706
int save_munge_symlinks;
707707
pid_t pre_exec_pid = 0;
@@ -826,6 +826,20 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
826826
io_printf(f_out, "@ERROR: no path setting.\n");
827827
return -1;
828828
}
829+
if (use_chroot < 0) {
830+
if (strstr(module_dir, "/./") != NULL)
831+
use_chroot = 1; /* The module is expecting a chroot inner & outer path. */
832+
else if (chroot("/") < 0) {
833+
rprintf(FLOG, "chroot test failed: %s. "
834+
"Switching 'use chroot' from unset to no.\n",
835+
strerror(errno));
836+
use_chroot = 0;
837+
} else {
838+
if (chdir("/") < 0)
839+
rsyserr(FLOG, errno, "chdir(\"/\") failed");
840+
use_chroot = 1;
841+
}
842+
}
829843
if (use_chroot) {
830844
if ((p = strstr(module_dir, "/./")) != NULL) {
831845
*p = '\0'; /* Temporary... */
@@ -962,20 +976,8 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
962976
}
963977

964978
if (use_chroot) {
965-
/*
966-
* XXX: The 'use chroot' flag is a fairly reliable
967-
* source of confusion, because it fails under two
968-
* important circumstances: running as non-root,
969-
* running on Win32 (or possibly others). On the
970-
* other hand, if you are running as root, then it
971-
* might be better to always use chroot.
972-
*
973-
* So, perhaps if we can't chroot we should just issue
974-
* a warning, unless a "require chroot" flag is set,
975-
* in which case we fail.
976-
*/
977979
if (chroot(module_chdir)) {
978-
rsyserr(FLOG, errno, "chroot %s failed", module_chdir);
980+
rsyserr(FLOG, errno, "chroot(\"%s\") failed", module_chdir);
979981
io_printf(f_out, "@ERROR: chroot failed\n");
980982
return -1;
981983
}
@@ -984,7 +986,7 @@ static int rsync_module(int f_in, int f_out, int i, const char *addr, const char
984986

985987
if (!change_dir(module_chdir, CD_NORMAL))
986988
return path_failure(f_out, module_chdir, True);
987-
if (module_dirlen || (!use_chroot && !*lp_daemon_chroot()))
989+
if (module_dirlen)
988990
sanitize_paths = 1;
989991

990992
if ((munge_symlinks = lp_munge_symlinks(module_id)) < 0)
@@ -1299,8 +1301,12 @@ int start_daemon(int f_in, int f_out)
12991301
p = lp_daemon_chroot();
13001302
if (*p) {
13011303
log_init(0); /* Make use we've initialized syslog before chrooting. */
1302-
if (chroot(p) < 0 || chdir("/") < 0) {
1303-
rsyserr(FLOG, errno, "daemon chroot %s failed", p);
1304+
if (chroot(p) < 0) {
1305+
rsyserr(FLOG, errno, "daemon chroot(\"%s\") failed", p);
1306+
return -1;
1307+
}
1308+
if (chdir("/") < 0) {
1309+
rsyserr(FLOG, errno, "daemon chdir(\"/\") failed");
13041310
return -1;
13051311
}
13061312
}

daemon-parm.txt

+1-1
Original file line numberDiff line numberDiff line change
@@ -60,9 +60,9 @@ BOOL read_only True
6060
BOOL reverse_lookup True
6161
BOOL strict_modes True
6262
BOOL transfer_logging False
63-
BOOL use_chroot True
6463
BOOL write_only False
6564

6665
BOOL3 munge_symlinks Unset
6766
BOOL3 numeric_ids Unset
6867
BOOL3 open_noatime Unset
68+
BOOL3 use_chroot Unset

rsyncd.conf.5.md

+47-23
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,16 @@ the values of parameters. See the GLOBAL PARAMETERS section for more details.
164164
available in this module. You must specify this parameter for each module
165165
in `rsyncd.conf`.
166166

167+
If the value contains a "/./" element then the path will be divided at that
168+
point into a chroot dir and an inner-chroot subdir. If [`use chroot`](#)
169+
is set to false, though, the extraneous dot dir is just cleaned out of the
170+
path. An example of this idiom is:
171+
172+
> path = /var/rsync/./module1
173+
174+
This will (when chrooting) chroot to "/var/rsync" and set the inside-chroot
175+
path to "/module1".
176+
167177
You may base the path's value off of an environment variable by surrounding
168178
the variable name with percent signs. You can even reference a variable
169179
that is set by rsync when the user connects. For example, this would use
@@ -187,29 +197,43 @@ the values of parameters. See the GLOBAL PARAMETERS section for more details.
187197
path, and of complicating the preservation of users and groups by name (see
188198
below).
189199

190-
As an additional safety feature, you can specify a dot-dir in the module's
191-
"[path](#)" to indicate the point where the chroot should occur. This allows
192-
rsync to run in a chroot with a non-"/" path for the top of the transfer
193-
hierarchy. Doing this guards against unintended library loading (since
194-
those absolute paths will not be inside the transfer hierarchy unless you
195-
have used an unwise pathname), and lets you setup libraries for the chroot
196-
that are outside of the transfer. For example, specifying
197-
"/var/rsync/./module1" will chroot to the "/var/rsync" directory and set
198-
the inside-chroot path to "/module1". If you had omitted the dot-dir, the
199-
chroot would have used the whole path, and the inside-chroot path would
200-
have been "/".
201-
202-
When both "use chroot" and "[daemon chroot](#)" are false, OR the inside-chroot
203-
path of "use chroot" is not "/", rsync will: (1) munge symlinks by default
204-
for security reasons (see "[munge symlinks](#)" for a way to turn this off, but
205-
only if you trust your users), (2) substitute leading slashes in absolute
206-
paths with the module's path (so that options such as `--backup-dir`,
207-
`--compare-dest`, etc. interpret an absolute path as rooted in the module's
208-
"[path](#)" dir), and (3) trim ".." path elements from args if rsync believes
209-
they would escape the module hierarchy. The default for "use chroot" is
210-
true, and is the safer choice (especially if the module is not read-only).
211-
212-
When this parameter is enabled *and* the "[name converter](#)" parameter is
200+
If `use chroot` is not set, it defaults to trying to enable a chroot but
201+
allows the daemon to continue (after logging a warning) if it fails. The
202+
one exception to this is when a module's [`path`](#) has a "/./" chroot
203+
divider in it -- this causes an unset value to be treated as true for that
204+
module.
205+
206+
Prior to rsync 3.2.7, the default value was "true". The new default makes
207+
it easier to setup an rsync daemon as a non-root user or to run a daemon on
208+
a system where chroot fails. Explicitly setting the value to true in the
209+
rsyncd.conf file will always require the chroot to succeed.
210+
211+
It is also possible to specify a dot-dir in the module's "[path](#)" to
212+
indicate that you want to chdir to the earlier part of the path and then
213+
serve files from inside the latter part of the path (with default
214+
sanitizing and symlink munging). This can be useful if you need some
215+
library dirs inside the chroot (typically for uid & gid lookups) but don't
216+
want to put the lib dir into the top of the served path (even though they
217+
can be hidden with an [`exclude`](#) directive). However, a better choice
218+
for a modern rsync setup is to use a [`name converter`](#)" and try to
219+
avoid inner lib dirs altogether. See also the [`daemon chroot`](#)
220+
parameter, which causes rsync to chroot into its own chroot area before
221+
doing any path-related chrooting.
222+
223+
If the daemon is serving the "/" dir (either directly or due to being
224+
chrooted to the module's path), rsync does not do any extra path sanitizing
225+
or (default) munging. When it has to limit access to a particular subdir
226+
(either due to chroot being disabled or having an inside-chroot path set),
227+
rsync will munge symlinks (by default) and sanitize paths. Those that
228+
dislike munged symlinks (and really, really trust their users to not break
229+
out of the subdir) can disable the symlink munging via the "[munge
230+
symlinks](#)" parameter. Sanitizing paths trims ".." path elements from
231+
args that rsync believes would escape the module hierarchy, and also
232+
substitutes leading slashes in absolute paths with the module's path (so
233+
that options such as `--backup-dir` & `--compare-dest` interpret an
234+
absolute path as rooted in the module's "[path](#)" dir).
235+
236+
When a chroot is in effect *and* the "[name converter](#)" parameter is
213237
*not* set, the "[numeric ids](#)" parameter will default to being enabled
214238
(disabling name lookups). This means that if you manually setup
215239
name-lookup libraries in your chroot (instead of using a name converter)

0 commit comments

Comments
 (0)