Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5191.htm

rsync group group privilege vulnerability



20th Mar 2002 [SBWID-5191]
COMMAND

	rsync group group privilege vulnerability

SYSTEMS AFFECTED

	2.5.3 and previous

PROBLEM

	Ethan Benson  found  that  rsyncd  fails  to  drop  root\'s  groups  (as
	explained in Mandrake advisory MDKSA-2002:024) :
	

	The supplementary groups that the rsync daemon runs as  (such  as  root)
	would not be removed from the  server  process  after  changing  to  the
	specified unprivileged uid and gid. This seems only serious if rsync  is
	called using \"rsync --daemon\" from the  command  line  where  it  will
	inherit the group of the user starting the server (usually root).

SOLUTION

	Upgrade to last version, 2.5.4, which also correct the zlib double  free
	bug.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH