Slashdot Mirror

← Back to Stories (view on slashdot.org)

New rsync Released to Fix Vulnerability

Posted by CowboyNeal on from the better-safe-than-sorry dept.

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

16 of 226 comments (clear)

  1. Re:Gentoo by keesh · · Score: 4, Insightful

    That's, what, 24 hours or so from the attack to a full patch to a previously unknown exploit being released? Gotta give those Gentoo guys some credit, that's damned impressive...

  2. chroot by larry+bagina · · Score: 4, Insightful
    The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.

    Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

    1. Re:chroot by syntax · · Score: 4, Insightful

      How about complete remote backups of the root file system?

  3. Re:Workaround by morelife · · Score: 2, Insightful


    don't run rsync as a server

    is not a workaround -- it's throwing the baby and the server out with the bathwater!

  4. Re:Workaround by brassman · · Score: 2, Insightful
    ...connect with the "-e ssh" flag

    That's how I use it, but I'm not running a site like Gentoo's.

    If I were, I'd rather run an rsync server than give shell logins to every Tom Dick and Mary.

    --
    "Ain't no right way to do a wrong thing."
  5. Re:Rsync Protocol Was a Bad Idea by timeOday · · Score: 2, Insightful
    What's the point of another network protocol, with more bugs to work out, and more security issues to be concerned with? Wonderful... More duplication of effort.

    Incidentally. Does anyone know of a program similar to rsync that is under a less restrictive license than the GPL? It would be very useful.

    So you think rsync is redundant and unnecessary, and you want to start a new fork of rsync? That makes a lot of sense.
  6. Re:So... by Anonymous Coward · · Score: 5, Insightful
    It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

    It seems obvious where the real talent in the Linux community lies today.

    In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.

  7. PGP-sign everything by Meat+Blaster · · Score: 4, Insightful
    I see too many packages out there that have no meaningful way to verify their contents. I've felt for a long time that this was something that was going to come back to haunt us.

    I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.

    Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.

    Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.

    1. Re:PGP-sign everything by giminy · · Score: 4, Insightful

      Hear, Hear. Along the same lines, it's pretty important that they sign with a key in the strongly connected set. I've seen a lot of projects that actually provide PGP sigs, but the keys used to generate the sigs don't have any signatures, or are part of closed (2-3 key) set! This is about as useless as MD5 checksums, imho. It's very easy to generate a key with Linus Torvalds as the name, but very difficult to get people in the strongly connected set to actually sign it...

      --
      The Right Reverend K. Reid Wightman,
  8. Re:Gentoo by TheIzzy · · Score: 5, Insightful
    Hello?

    Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.

    If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.

  9. Re:Gentoo by keesh · · Score: 2, Insightful

    It was.

  10. Re:Rsync Protocol Was a Bad Idea by Zork+the+Almighty · · Score: 4, Insightful

    I don't know why they even invented an rsync protocol. - To efficiently synchronize a large amount of data over a slow connection. The algorithm is one of the fundamental gems of computing science, and I'm suprised you don't appreciate it.

    --

    In Soviet America the banks rob you!
  11. Re:this is why i dont use any package management by quadelirus · · Score: 2, Insightful

    This is why I use package management. Hours before I read about this vulnerability on slashdot (read it just now) my redhat monitor had gone red and I had updated the rsync vulnerability without even a thought to when it was discovered. Its interesting that Redhat had the update so quickly though... good to know.

  12. Re:Rsync Protocol Was a Bad Idea by CheshireCat · · Score: 2, Insightful

    I would say there are still uses for rsync server protocol. Setting up an account for secure, anonymous SSH access to rsync sounds like a nightmare to me.

  13. Re:Rsync Protocol Was a Bad Idea by BaldingByMicrosoft · · Score: 2, Insightful

    Well now... let me be the first, then! Having a real user account for FTP access is, in certain environments, a security risk.

    Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.

  14. Re:Some history.. by boots@work · · Score: 2, Insightful

    But I have been running rsync v.2.5.7 since BEFORE the gentoo rsync server was compromised.

    Don't be ridiculous. There was no 2.5.7 release before the Gentoo compromise. I know because I was one of the team that responded to the intrusion and produced the patch. The machine was crashed on Tuesday and the patch came out on Thursday, about 36 hours later.

    I suppose you're running kernel 2.7 as well?