Slashdot Mirror
New rsync Released to Fix Vulnerability
cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"
This is what got the cracker in (plus the brk kernel thing) into the Gentoo Rsync server. All fixed now tho!
Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?
Do you even lift?
These aren't the 'roids you're looking for.
...or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing.
News Flash:
rsync releases a patch and changes its name to r'sync. The change is noted to increase its name recognition in the teenybopper script kiddie market. At this point, no pimply-faced l337 d00dz will dare deface r'sync for fear that they will be further alienated by the female species.
Unfortunately, timberlake and FatOne continue to be backdoored.
Credits
-------
The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this
response:
* Timo Sirainen
* Mike Warfield
* Paul Russell
* Andrea Barisani
Regards,
The rsync team
http://lwn.net/Articles/61541/
For the LOVE OF EVERYTHING SACRED, please everyone patch every box on which you are root.
i do it the slack way.
Of course, to patch this, you should go to your local mirror, which will be down until they patch the rsync vulnerablity...
Doh!
Baby I got the Trojans
And baby I got the disease
You've got me wide open, baby
You're bringin' me to my knees.
You've found my weak spot, child
I'm running the love facility
You've wormed your way into my heart baby
You've found my vulnerability
whoa oh ohhh baby baby
I have been pwned because my
Instructions on how to update Slackware to the latest and greatest rsync are at:a re-security&y=2003&m=slackware-security.399741
http://slackware.com/security/viewer.php?l=slackw
Of course if you're running a server you should theoretically be subscribing to the security mailing list. Right?
Nobody runs rsync as a publicly accessible service anymore.
oh really?
i rsync my local copy of slacware-current from carroll.cac.psu.edu. probably half the listed servers on the slack mirrors list (many of which host many other projects besides slack) do rsync. gentoo uses rsync for portage. kernel.org supports rsync for kernel/patch transfers.. as does sourceforge.
me thinks thou should pull thine head out of thine ass before making such silly comments. for a number of read-only connections, rsync is still quite popular.
-'fester
It doesn't look like ersync is open to this particular vulnerability. Although to my knowledge that doesn't run without chroot.
The FSF Savannah server has been hacked. The statement indicates a similar attack vector as the exploit against the Debian systems. However, it had been hacked nearly a month ago and was not detected until December 1st. For those that are not familar with it, Savannah is the FSF version of Sourceforge, hosting both GNU and non-GNU Free Software projects. It has not yet been determined whether any of the projects' source code has been modified. Read the full statement for details. One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.
Using your sig line to advertise for friends is lame.
The Samba team thanks ONE, COUNT IT, ONE person from Gentoo.
The rest ARE NOT RELATED TO GENTOO.
Sheesh...way to be a zealot...
Actually you can combine steps 2 and 3, saving keystrokes:
tar xzvf
This has been possible in every OS (except windows) I've ever used (except for old versions of sunos)
I'd really like to take this opportunity to congratulate both the Gentoo devs and the rsync devs on a job well done. This is one of the many reasons why I continue to use and recommend Open Source to my friends, my boss, and my colleagues. The community simply does a first rate job of identifying and patching problems in their software. Most commercial software vendors wish they had a track record as good as most of the important open source projects out there.
;) It has put the fun back in computing for me.
Keep up the great work, guys! I'm definitely donating to the Gentoo project this Xmas
Umm.. chmod 666 doesn't make it executable, dumbass. Meanwhile 'emerge programname'.
rsync is very good for incremental updates of large files, like backups, and big dns zone files (I learned about it when setting up a slave for a dns blacklist).
BitTorrent might be worth a try too, I don't think it does incremental but should be faster than scp or ftp.
chris@xanadu:~$ whatis /.
/.: nothing appropriate.
You obviously don't understand how open source mirroring networks propagate their data. Ask the admin of your favorite mirror how he gets his stuff..
It seems obvious where the real talent in the Linux community lies today.
In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.
Wow, you mean Debian people know how to read source code? I thought they were all spoiled by using binaries all the time.
What's the point of another network protocol
Unlike ssh, rsync daemon doesn't require a user on the host system. Unlike ftp or http, rsync updates by splitting files into blocks and updating changed blocks. Unlike scp, the config file can exclude/include certain files/paths/etc. without requiring the use of filesystem permissions. (it also has password protection).
Does anyone know of a program similar to rsync
Nah, there wasn't a point to it.
If I have been able to see further than others, it is because I bought a pair of binoculars.
I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.
Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.
Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.
ONE person from gentoo REPORTED it.
FOUR people NOT FROM GENTOO are the ones who actually FIXED IT.
You are the most pathetic zealot ever.
CVS and rsync are different applications with different uses.
CVS maintains a history of all revisions made to the files in the repository. It doesn't even have a means to synchronize clients without a versioned repository on the server, it relies on the server knowing all past revisions to determine which changes to send to the client.
Rsync works with plain files on the server, not RCS. if you *need* revision control, it's useless, but if you only want to be able to synchronize client files to match the files on the server, it's much better than CVS. The server saves space and complexity by not having to do revision control, and the client still gets the benfits of the server only needing to transmit the changed portions of files.
Well, Gentoo does, for one...
This calls for Standard Slashdot Response #4:
Yay! This was so fast. Even when we suck we don't suck!
SCO nametag.
Fuck Beta. Fuck Dice
For all you naysayers who always talk trash about Fedora, I run fedora and debian and fedora alerted me this morning about the problem and patched it in seconds. I updated debian too, but I usually dont update on a daily basis, usually like once a week or something, unless I see something in the news. I would have had no clue about this for about a 3 days if i hadn't read slashdot and didn't have Fedora to alert me. I personally like Debian better for other reasons, but I'm just saying dont bang on Fedora, its a damn good product.
Ooooo ... look at the namby pamby Samba zealot. Tridge would be proud of you, sir.
[DSA 404-1] New rsync packages fix unauthorised remote code execution
You might want to try Unison. It's basically a bidirectional rsync. It's GPL, but it does a great job. Much more reliable (when run over ssh, at least) than rsync and less of a hassle to train users how to get their files synchronized. I even have it working successfully in an all-Windows environment, including setting file ownership right (rsync did not do that for me when run as a daemon; SYSTEM owned all the files).
Wow, you sound like a cybersecurity super important guy!!!1
UR K00L!!!!
Last I checked, "little scrip kiddie" 's didn't exploit unknown vulnerabilities.
I think they did great. Thanks for playing though.
Of course YOU think they did great, YOU're A GENTOO ZEALOT.
DUH.
APPLE TOOK 3 MONTHS TO FIX A SPLOIT ONCE AND THE MAC PEOPLE THOUGHT THEY DID A GREAT JOB TOO!
Gentoo's server still got owned. Haw haw.
dumbass, its a refrence to the number of satan.
Nice caps. Panzy.
0. Smoke crack.
Karma: It's all a bunch of tree-huggin' hippy crap!
While Microsoft's right hand offers millions to hunt down Windows hackers, the left could easily pay Eastern European hackers to open holes in OSS. We would never know.
Actually you should get your story straight it wasn't gentoo's server that got owned. It was a third-party server that among many things provides a mirror for gentoo rsync servers. This server is administred and run by a third party which is not linked to Gentoo.
You might want to take a look at Easy Automated Snapshot-Style Backups with Linux and Rsync posted by Mike Rubel. I think this is mentioned in the book Linux Server Hacks by O'Reilly (hack #42), although I don't have the book so I'm not sure.
Basically it uses rsync and cp to create a backup, but only changed files are actually copied; unchanged files are simply linked to. This saves a lot of disk space, and allows you to keep many backups on the system at one time, assuming most of your files don't change.
Two months ago I found the problem and gave a patch to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)
I don't know why they even invented an rsync protocol. - To efficiently synchronize a large amount of data over a slow connection. The algorithm is one of the fundamental gems of computing science, and I'm suprised you don't appreciate it.
In Soviet America the banks rob you!
This was a net loss for the cracker, he just lost a remote exploit, because he hacked a well-watched box.
im fucking amazed it was only hacked for about an hour
1. Slackware
2. Trustix
3. OpenPKG
4. Debian
5. SuSE
6. EnGarde
7. Connectiva
8. Red Hat
I am stuck with WINDOZE and my boreing install wizards, clicking next, next, next, and finish. ..............
have you even used windows? or are you wearing your rose colored sun glasses?
Unlike CVS, rsync works fine with binary files.
"I assumed blithely that there were no elves out there in the darkness"
(which is every open source mirror server out there, and many mirrors themselves)
No. This does not affect all the open source mirrors. It only affects rsync SERVERS. If you are not running rsync as a server, you are OK. If you are not accepting connections on 873 you are not running an rsync server. (Well, you could be, but you are probably running it over SSH, in which case you are still OK.)
--If you don't test it, it won't work. Guaranteed.
RedHat has also released 2.5.7 RPMs for the fix.
/tmp/rsync-2.5.7-0.9.src.rpm
/usr/src/redhat/SPECS
/usr/src/redhat/RPMS/i386, so you can install it with:
/usr/src/redhat/RPMS/i386/rsync-2.5.7-0.9.i386.rpm
When updating an older server (7.1, I think), the RH RPM failed with a GLIBC dependency. The updates for RH are identical for 7.1 - 9, so you might have a problem here.
My easiest workaround was to rebuild the rpm from source with:
Get the rsync-2.5.7-0.9.src.rpm from RedHat ftp server updates.redhat.com
Install the source rpm with:
rpm -ivh
Build a new complete, clean set of RPMs with:
cd
rpm -bb rsync.spec
The new installable binary for your current lib versions is in
rpm -Fvh
---
For those that don't use rsync, this is easily one of the most useful utilities on the box. I particularily like "modules" mode over ssh. Setup an ssh key and have the key auto-run rynnc --daemon. You get modules and ssh. Really cool.
No, your reding comprhension skills need work.
I like rsync very much, although I'm a bit limited by it's lincense.
What I DO NOT LIKE, is the rsync protocol...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I fail to see how that is a disadvantage at all... FTP also requires "a user on the host system", but I don't see any complaints about that.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Yes they are. I never said otherwise... Merely that rsync should stick to using SSH for it's network connections, instead of inventing a new, redundant, protocol (and I just pointed to CVS as an example--rsync already does work over ssh).
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
All of that is done by the APPLICATIONS on the client and server... The network protocol it just something to get the (significantly reduced) data from point to point. There isn't too much a network protocol can do to speed up the process.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Your spelling needs work.
well, I admit that I had to click the enter button a multitude of times (like 15), and I even had to change cds, but installing freebsd was pretty easy. cd-burning works. the nvidia drivers I got from the nvidia website work fine. my digital camera "just works". my sound works (I admit I had to goto www.freebsd.org and look at the "sound" section of the FreeBSD Handbook to figure out the command to make it work). my dvd player works. KDE is fast and well-integrated. when I need a piece of software I use this sweet piece of software called barry to find it and then I install it by going to the directory barry tells me to and typing "make install". damn, I guess freebsd is too much work. I have to type make install. perhaps I should contribute a script to automagically install packages for people.
I realized that after I posted it. If you look at my other comments, you'll see my typing is reasonable accurate... But once in a while, something like this happens, and I have no explanation for why.
Anyhow, typographical errors are completely irrelevant to the point of my post, so I'm not greatly concerned.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That is entirely because of what the rsync application does on the client and server ends, and has nothing to do with it's network protocol at all. By all means, you could do the same thing (using the rsync application) over rsh/ssh.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
"I'm glad I don't put much basis on yammerings on slashdot"... "In fact, I'm real glad." --Theo de Raadt
The network protocol it just something to get the (significantly reduced) data from point to point. There isn't too much a network protocol can do to speed up the process.
RTFM, idiot.
There are several things that a new network protocol can do to make a transfer faster. For example, rsync is heavily pipelined in both directions, and removes common information from headers of consecutive files. Neither of those optimizations would be possible in FTP or HTTP.
rsync was for years the only major application that aggressively utilized full duplex TCP sockets, and found several bugs in Linux, BSD, and Solaris kernels by doing so. Again this is a protocol design decision that gets more mileage out of the connection than is possible in other ways.
Have you ever even looked at an HTTP dump? The hundreds of bytes it takes to send the headers can accomodate several whole rsync-compressed files.
A recursive update of a changed tree is typically several times quicker with rsync than with either CVS or FTP. Nothing against those protocols; they were just designed with different purposes in mind.
Now you can reasonably question whether the space saving really justifies having a new protocol. If you're not convinced, don't run it. Many people do find it worthwhile. If you are super security-conscious then you probably shouldn't be offering anonymous or unencrypted service at all.
The developers of Slackware are the slackers.
If you are a sysadmin who uses slackware you definatly aren't a slacker since it's a real bitch to administrate such a shoddy distro...
I realize you're trolling, but BSD is equally vulnerable.
Rsync was such a bad idea that the cvsup source (suplib and client) has such crazy files as:
;-)
S 2000-rs ync/OLS2000-rsync.html
RsyncUpdater.m3, RsyncBlockArraySort.m3, RsyncBlock.m3 and RsyncFile.m3
<Warning> Compiling cvsup from source involves the download or compiling of ezm3 first <\Warning>
If you want a good read about the algorithim behind rsync go here:
http://olstrans.sourceforge.net/release/OL
Have Apple released a patch for Mac OS X yet?
Apple's product security and security update pages don't mention it.
I would say there are still uses for rsync server protocol. Setting up an account for secure, anonymous SSH access to rsync sounds like a nightmare to me.
yeah. that's a best case scenario. i've been dicking with linux since 96. it HAS made huge strides. but hasnt reached popularity that you zealots would like it achieve yet simply because it's not as user friendly as windows (don't get me wrong. windows like everything, has it's flaws). BUT linux's growing popularity will be it's undoing. in the effort to be more like windows, holes are going to open wider than an inmate's rectum.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
It wasn't me who complained about your spelling (honest).
WHAT is this you say? Linux becomeing unsecure?! you are a WINDOZE(see I am 133t I used the word WINDOZE instead of windows...I 133t yo!) zealot!!!How dare you bash my precious linux....my sweet sweet precious...your kernel is safe with me. ;)
Good for you. Glad you found something that works for you.
For me though, Linux for exactly the same reasons you gave for windows. It just WORKS. Plus, and this is the real clincher, it keeps on working. The thing with Windows is, if you have a problem, then you're, more often than not, completely stuffed. It's one of the most frustrating systems to fix. The Event Viewer usually has bugger all in it, or the error message is so damned cryptic that I (or Google) can't make heads or tails of it.
In contrast, most problem in Linux have been easy to figure out, easy to fix, and/or easy to work around. And there's the other clincher
So you take your system that WORKS. I'll take a system that WORKS THE WAY I WANT.
OK, now that I've got that out of my system (excuse the pun
Well now... let me be the first, then! Having a real user account for FTP access is, in certain environments, a security risk.
Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.
Good I never really liked Justin Timberlake anyway.
Nobody runs rsync as a publicly accessible service anymore.
You should notice that the Gentoo Portage tree is distributed through rsync to all users.
Here
Remember last summer? With the worms and all?
Anything, ANYTHING, is better than anything from Microsoft. Be it Gentoo, RedHat, Debian, or whatever. Pick one that fits you, you can't lose.
Have a look at rdiff-backup. It uses ssh to login and to run the server on the other side, and runs through the SSH tunnel. Nice from a security perspective. I use it for all of my backup needs. Along with careful use of ssh and private/public key pairs, you can automate it and still keep it fairly secure.
---
Here
rsync security update (SSA:2003-337-01)
here the security advisory of rsync.samba.org:
/etc/rsyncd.conf configuration file. If you are using the option
rsync 2.5.6 security advisory
December 4th 2003
Background
The rsync team has received evidence that a vulnerability in rsync was
recently used in combination with a Linux kernel vulnerability to compromise
the security of a public rsync server. While the forensic evidence we have is
incomplete, we have pieced together the most likely way that this attack was
conducted and we are releasing this advisory as a result of our
investigations to date.
Our conclusions are that:
rsync version 2.5.6 and earlier contains a heap overflow vulnerability that
can be used to remotely run arbitrary code.
While this heap overflow vulnerability could not be used by itself to obtain
root access on a rsync server, it could be used in combination with the
recently announced brk vulnerability in the Linux kernel to produce a full
remote compromise.
The server that was compromised was using a non-default rsyncd.conf option
"use chroot = no". The use of this option made the attack on the compromised
server considerably easier. A successful attack is almost certainly still
possible without this option, but it would be much more difficult.
Please note that this vulnerability only affects the use of rsync as a "rsync
server". To see if you are running a rsync server you should use the netstat
command to see if you are listening on TCP port 873. If you are not listening
on TCP port 873 then you are not running a rsync server.
New rsync release
In response we have released a new version of rsync, version 2.5.7. This is
based on the current stable 2.5.6 release with only the changes necessary to
prevent this heap overflow vulnerability. There are no new features in this
release.
We recommend that anyone running a rsync server take the following steps:
Update to rsync version 2.5.7 immediately.
If you are running a Linux kernel prior to version 2.4.23 then you should
upgrade your kernel immediately. Note that some distribution vendors may have
patched versions of the 2.4.x series kernel that fix the brk vulnerability in
versions before 2.4.23. Check with your vendor security site to ensure that
you are not vulnerable to the brk problem.
Review your
"use chroot = no" then remove that line or change it to "use chroot = yes".
If you find that you need that option for your rsync service then you should
disable your rsync service until you have discussed a workaround with the
rsync maintainers on the rsync mailing list. The disabling of the chroot
option should not be needed for any normal rsync server.
The patches and full source for rsync version 2.5.7 are available from http://
rsync.samba.org/ and mirror sites. We expect that vendors will produce
updated packages for their distributions shortly.
Credits
The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this response:
Timo Sirainen
Mike Warfield
Paul Russell
Andrea Barisani
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0962 to this issue.
Regards,
The rsync team
This is a repost troll who reposts other people's comments. MOD HIM DOWN - JUST READ HIS JOURNAL!
MS has a security fix released. At least, they dont get modded up to +5 that is for sure.
"Security breaches happen"... yeah, good attitude Lunix community! Keep that up !!
Then you simply must not know SSH very well.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
NO, no, no. I was not talking about full-access accounts. I was, in fact, talking about anonymous access.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I never thought it was.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
You know I don't have anything personaly against linux. Its the tripe the zealots post all over the internet. If a linux user wants someone to take him seriously then DO NOT throw in the "WINDOZE" or "M$" or other anti-microsoft statements. Or like how this all started here by listing complete assinine steps it takes for windows to install an app. There have been several posters on slashdot that have started posting about how good linux is and what it can do and ect. They had my full attention but then they had to go and ruin it by INCLUDING: "Windoze can never do that! Billy cant make a secure OS" or some other tripe. That just makes their complete post turn into BS. Its that kinda addittude that keeps my interest in linux at a bare minimum. As for your reply, deek. All zealots should take from your lead. Post the facts and leave the tripe and name calling out of it.
Oh please, you cannot be so thick to not see that that post was merely making fun of the parent which listed completely assinine steps on the Linux install. Modify the code and submit patches to sourceforge? Come one. I've been using Linux since '97 and I've never had to do that. I've done it when I wanted to. Big difference, and I could; bigger difference. I actually use, and am proficient, with a number of operating systems and platforms. I use whatever is best for the job.
This has been possible in every OS (except windows) I've ever used (except for old versions of sunos)
Doesn't work on Solaris unless you've installed GNU tar. On Solaris you're stuck with:
gunzip -c packet.tar.gz | tar -xvf -
Or just install GNU tar and replace Sun's version.
it's not they he's so thick. it's that we run into those "zealots" every day at work, both Mac and Linux. and then we get on here, and fine the same posts. it just gets old.
Well it just goes to show how academia is totally divorced from the real world.
Nice algorithm or not if the security fucking blows ass then it sucks.
I agree that would be ideal, but it's easier said than done. I've got no other signatures on my GPG key now. I want to get some, but I don't know anyone else around here who does that sort of thing. How would I go about getting some? I know they have key signing parties at conventions and such, but I'm a college student, which means I have no money or time to attend such things.
People take advantage of conventions to organize key-signing parties because diverse groups of people from many geographic locales end up at conventions, and having people sign each other's keys strengthens the PGP "web of trust". However, you don't need geographic diversity for this to be useful.
Organize a local key-signing party. Surely there are many other computer geeks at your college interested in using PGP/GPG. Start getting the geeks together and sign each other's keys. If you can, try to get someone to join the party who is already connected to the worldwide web of trust that most well-known PGP keys are part of. If you can't get anyone well-connected to your key-signing party, don't worry! Creating a local web of trust at your college is a good start, and all it takes is one person who signed your key to get a signature from a well-connected key to get you well-connected yourself. And that can happen after the fact.
The PGP web of trust is a beautiful thing. You start out by creating little webs of trust amongst people you know. Over time, the little webs get linked together into larger webs, eventually getting linked into a global web of trust. Even if you don't know anyone in the global web of trust now, remember the "six degrees of separation" thing. If your friend signs your key, and his friend signs his key, and so on, sooner or later a signature is bound to create a path from the global web of trust to you, and bang! Now you're part of the global web of trust too, and can help link other people into it. Actually, it's better than that, because nobody needs to be your friend to sign your key -- just anyone who can verify your identity, whether friend, enemy or complete stranger.
When you create your local web of trust from scratch, take it seriously and do it right. Remember, you sign someone's key to indicate that you've verified their identity and that it's truly their key -- it's not an endorsement of the person in any way. If you despise the person and everything they stand for, but you're certain they are who they say they are and that the key you're asked to sign is their key and not another, then go ahead and sign the key. If you admire and respect a person who asks you to sign a key, but you can't be 100% certain of the person's identity and the true ownership of the key, don't sign it.
Key signatures aren't a popularity contest, it's all about verifying identity, nothing more. Don't sign a key just because someone you know appeared to email it to you; that email could be forged. Verify the key with that person through real-world mechanisms first, to make sure you aren't duped into signing the wrong key. This is where key-signing parties are helpful -- people can gather in a room, look at ID cards (e.g. driver's licenses), get a verified key fingerprint from the person, and sign the key, fairly confident that the identity they're signing is correct -- even if the key belongs to a complete stranger.
By the way, next time you complain that you can't get anyone to sign your key, you might specify your geographical location. Someone in the global web of trust with a well-connected key might offer to sign your key (especially if you'll organize a local key-signing party to "share the wealth"), but such a person is likely not to know you personally, so they'd have to meet you in person to verify your identity. And without knowing where you are located, nobody is likely to offer...
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
What a pathetic troll. You have to START with a relevant remark, and WORK TOWARDS your offtopic, inflammitory position. You got it completely backwards.
In Soviet America the banks rob you!
Maybe this is easier than I expect it to be, but you still have all the problems you have with rsync server, and possibly more.
Suppose a previously unknown vulnerability is discovered in either sshd or rsync (the command line utility, not the rsync server) which allows the remote user to execute code. The only difference here is that it's a different piece of software that we're trusting to be secure.