[rssh] Add patch for rsync3 compatibility
Daniel Drake
dsd at fedoraproject.org
Mon Feb 6 23:00:11 UTC 2012
commit 950703c2212cad8e9072e6bd08a4c0726cfb94b7
Author: Daniel Drake <dsd at laptop.org>
Date: Mon Feb 6 16:55:12 2012 -0600
Add patch for rsync3 compatibility
rssh-2.3.3-rsync-protocol.patch | 65 +++++++++++++++++++++++++++++++++++++++
rssh.spec | 7 +++-
2 files changed, 71 insertions(+), 1 deletions(-)
---
diff --git a/rssh-2.3.3-rsync-protocol.patch b/rssh-2.3.3-rsync-protocol.patch
new file mode 100644
index 0000000..f4ea113
--- /dev/null
+++ b/rssh-2.3.3-rsync-protocol.patch
@@ -0,0 +1,65 @@
+As of rsync 3, rsync reused the -e option to pass protocol information
+from the client to the server. We therefore cannot reject all -e
+options to rsync, only ones not sent with --server or containing
+something other than protocol information as an argument.
+
+Based on work by Robert Hardy.
+
+Debian Bug#471803
+
+--- rssh.orig/util.c
++++ rssh/util.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_LIBGEN_H
+ #include <libgen.h>
+ #endif /* HAVE_LIBGEN_H */
++#include <regex.h>
+
+ /* LOCAL INCLUDES */
+ #include "pathnames.h"
+@@ -187,6 +188,33 @@
+ }
+
+ /*
++ * check_rsync_e() - take the command line passed to rssh and look for a -e
++ * option. If one is found, make sure --server is provided
++ * and the option contains only the protocol information.
++ * Returns 1 if the command line is safe; 0 otherwise.
++ */
++static int check_rsync_e( char *cl )
++{
++ int status;
++ regex_t re;
++
++ /*
++ * This is more complicated than it looks because we don't want to
++ * trigger on the e in --server, but we do want to catch the common
++ * case of -ltpre.iL (which contains -e.).
++ */
++ static const char pattern[] = "[ \t\v\f]-([^-][^ ]*)?e[^.0-9]";
++
++ if ( strstr(cl, "--server") == NULL ) return 0;
++ if ( regcomp(&re, pattern, REG_EXTENDED | REG_NOSUB) != 0 ){
++ return 0;
++ }
++ status = regexec(&re, cl, 0, NULL, 0);
++ regfree(&re);
++ return (status == 0) ? 0 : 1;
++}
++
++/*
+ * check_command_line() - take the command line passed to rssh, and verify
+ * that the specified command is one the user is
+ * allowed to run. Return the path of the command
+@@ -230,9 +258,9 @@
+
+ if ( check_command(cl, opts, PATH_RSYNC, RSSH_ALLOW_RSYNC) ){
+ /* filter -e option */
+- if ( opt_exist(cl, 'e') ){
++ if ( opt_exist(cl, 'e') && !check_rsync_e(cl) ){
+ fprintf(stderr, "\ninsecure -e option not allowed.");
+- log_msg("insecure -e option in rdist command line!");
++ log_msg("insecure -e option in rsync command line!");
+ return NULL;
+ }
+
diff --git a/rssh.spec b/rssh.spec
index 9c5c008..93319cd 100644
--- a/rssh.spec
+++ b/rssh.spec
@@ -1,12 +1,13 @@
Name: rssh
Version: 2.3.3
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Restricted shell for use with OpenSSH, allowing only scp and/or sftp
Group: Applications/Internet
License: BSD
URL: http://www.pizzashack.org/rssh/
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
Patch0: rssh-2.3.2-makefile.patch
+Patch1: rssh-2.3.3-rsync-protocol.patch
BuildRequires: openssh-server, openssh-clients
BuildRequires: cvs rsync rdist
@@ -24,6 +25,7 @@ access, you can use rssh to do that. It is a alternative to scponly.
%prep
%setup -q
%patch0 -p1 -b .makefile
+%patch1 -p1 -b .rsync3
chmod 644 conf_convert.sh
chmod 644 mkchroot.sh
@@ -57,6 +59,9 @@ exit 0
%changelog
+* Mon Feb 6 2012 Daniel Drake <dsd at laptop.org> - 2.3.3-3
+- Add patch for rsync3 compat (#485946)
+
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list