Please sign in to comment.
tighten up security for rsync
Nick Cleaton (firstname.lastname@example.org) found and reported a security issue caused by trusting the remote rsync too much. It appears that rsync cannot -- without special precautions -- be used in any "restricted" environment. Gitolite ships with a "bundle helper" called "rsync" (disabled by default; more details below). This fix tightens up this helper to close this hole. TLDR for administrators and packagers: 1. Am I affected? Look in ~/.gitolite.rc for "rsync"; if it is there, you are affected. This is NOT an essential program, and it is not enabled by default. You (or a previous administrator of your site) would have to have explicitly enabled it for you to be affected. 2. What's the quick fix? Comment out the "rsync" line in ~/.gitolite.rc IMMEDIATELY. DO NOT LEAVE IT ENABLED IF YOU ARE UNABLE TO UPGRADE IMMEDIATELY! Uncomment it only after you have upgraded or patched. 3. That bad, huh? Sadly, yes :( DETAILS: This program is not a core program. Despite the name, it will not function as a generic "rsync". This is *only* meant to help out people who are on flaky connections, trying to clone a large repo. Because git clone is not resumable, one common technique is to have someone create a "bundle", then download the bundle to seed the local repo, then "git fetch" to finish off. Since the bundle is a single file, you can use resumable mechanisms (like rsync) to download it. What this command does is allow that kind of bundling to happen automatically, if an administrator enables it. The user simply rsyncs a bundle file using his gitolite credentials. As a result, the rsync helper command that ships with gitolite is executed. This program manages the creation and expiry of bundle files, then passes control to the *real* rsync program to perform the actual data transfer. It is this last step that requires special care when used in a restricted environment, resulting in the need for this patch.
- Loading branch information...