×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New rsync Released to Fix Vulnerability

CowboyNeal posted more than 10 years ago | from the better-safe-than-sorry dept.

Security 226

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

226 comments

ATTENTION (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635467)

An incident has occurred today near the Slashdot compound, and several people have already been reported missing or dead. Do not panic. We are currently assessing the situation, and believe the deaths were caused by one of Rob "CmdrTaco" Malda's genetic experiments when it escaped from its holding cell. As of yet no photographs have been obtained, but several eyewitnesses have given descriptions that lead to the creation of this sketch [ctrl-c.liu.se]. If you see this creature, do not attempt to subdue it yourself, and contact the appropriate authorities immediately. Thank you.

helo (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635470)

hey retards this is news for nerds we dont care what n'sync is doing they are for homos

pls fix thx

Gentoo (5, Informative)

lisany (700361) | more than 10 years ago | (#7635471)

This is what got the cracker in (plus the brk kernel thing) into the Gentoo Rsync server. All fixed now tho!

Re:Gentoo (4, Insightful)

keesh (202812) | more than 10 years ago | (#7635488)

That's, what, 24 hours or so from the attack to a full patch to a previously unknown exploit being released? Gotta give those Gentoo guys some credit, that's damned impressive...

Re:Gentoo (0)

Anonymous Coward | more than 10 years ago | (#7635548)

Gentoo? Isn't it the Samba team which develops Rsync?

Re:Gentoo (0)

Anonymous Coward | more than 10 years ago | (#7635559)

Look at the credits list. It was the Gentoo guys who tracked this one down.

ummm no (0)

Anonymous Coward | more than 10 years ago | (#7635647)

The Samba team thanks ONE, COUNT IT, ONE person from Gentoo.

The rest ARE NOT RELATED TO GENTOO.

Sheesh...way to be a zealot...

Re:ummm no (0)

Anonymous Coward | more than 10 years ago | (#7635704)

Wow? One person from Gentoo did all the work? That's even more spectacular.

again NO you ZEALOT (0)

Anonymous Coward | more than 10 years ago | (#7635729)

ONE person from gentoo REPORTED it.

FOUR people NOT FROM GENTOO are the ones who actually FIXED IT.

You are the most pathetic zealot ever.

You're the zealot, zealot! (0)

Anonymous Coward | more than 10 years ago | (#7635754)

Ooooo ... look at the namby pamby Samba zealot. Tridge would be proud of you, sir.

Re:again NO you ZEALOT (0)

Anonymous Coward | more than 10 years ago | (#7635761)

Actually... if you read the statement at gentoo [gentoo.org] there were a number of people involved.

THATS GENTOO PROPOGANDA, ZEALOT (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7635773)

Ya they were involved in figure out how some little script kiddie managed to own their server.

Then they reported it to samba who actually fixed it.

Wow, it took 5 leet gentoo doods to figure out how some little scrip kiddie owned their server.

Re:THATS GENTOO PROPOGANDA, ZEALOT (0)

Anonymous Coward | more than 10 years ago | (#7635784)

Last I checked, "little scrip kiddie" 's didn't exploit unknown vulnerabilities.

I think they did great. Thanks for playing though.

Re:THATS GENTOO PROPOGANDA, ZEALOT (0)

Anonymous Coward | more than 10 years ago | (#7635793)

Of course YOU think they did great, YOU're A GENTOO ZEALOT.

DUH.

APPLE TOOK 3 MONTHS TO FIX A SPLOIT ONCE AND THE MAC PEOPLE THOUGHT THEY DID A GREAT JOB TOO!

Gentoo's server still got owned. Haw haw.

Re:THATS GENTOO PROPOGANDA, ZEALOT (0)

Anonymous Coward | more than 10 years ago | (#7635833)

Nice caps. Panzy.

Re:THATS GENTOO PROPOGANDA, ZEALOT (2, Informative)

bleakcabal (719309) | more than 10 years ago | (#7635850)

Actually you should get your story straight it wasn't gentoo's server that got owned. It was a third-party server that among many things provides a mirror for gentoo rsync servers. This server is administred and run by a third party which is not linked to Gentoo.

Re:Gentoo (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7635616)

and those fucktard debian guys still don't know exactly how they got r00ted... damn i need to change distro

Re:Gentoo (0)

Anonymous Coward | more than 10 years ago | (#7635799)

Yes they do know, it was a weak password plub the 'brk' patch of 2.4.23... Stay with the news, and you can stop throwing flamebait out.

Yes, Gentoo is impressive.. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7635656)

The Slashdot Song
by propstoalldeadhomiez


Rap with me, bitch

Boom, boom, boom!
Nigger WHAAAAA?

Fuck that shit!
Fuck Slashdot!
All you liberals try to censor me
But really you fucking suck Malda's dick
Fucking hypocrites
Back that shit up!

Boom, boom, boom!
Nigger WHAAAAA?
Boom, boom, boom, BOOM!
Nigger!
Boom, boom, boom!
Nigger WHAAAAA?

Fuck the moderators!
Fuck that shit!
Trackin' my username like a fucking dog tag!
Fuck privacy, fuck my rights
Go fucking hypocrisy!

Boom, boom, boom!
Nigger WHAAAAA?
Boom, boom, boom, BOOM!
Nigger!
Boom, boom, boom!
Nigger WHAAAAA?

Fuck that bullshit
Lie and say we want fucking privacy
But track every fucking troll
Banning them 'cause they don't spout liberal bullshit
Well fuck that shit!

Boom, boom, boom!
Nigger WHAAAAA?
Boom, boom, boom, BOOM!
Nigger!
Boom, boom, boom!
Nigger WHAAAAA?

Can't silence this you niggers!
Can't ban the truth!
The place is here!
The time is now!
FUCK SLASHDOT!

BOOM!
NIGGER!

Re:Gentoo (1, Interesting)

Anonymous Coward | more than 10 years ago | (#7635714)

what would have been more impressive is, if it wouldn't have happened in the first place. I could understand maybe if a port slipped by someone, but shoddy security it's rather sad. Don't take this as a troll post my coworker is a Gentoo devel, and we've spoken about this back and forth.

What would be nice, would be if some of the developers focused on security from the jump, sort of OpenBSD'ish, and no I'm not making a comparison, sort of throwing an idea for devels to use preemptive strikes, assessing a situation beforehand. Regardless if there was a buffer overflow of stack/heap/$INSERT_VULN_HERE, what about the core concept of security. User accounts, firewall rules, checksums, etal.

If I were a CTO or someone who was checking into making a switch, sorry to say but right now it wouldn't be Gentoo. Sure its a nice little distribution, but the security lapse just threw them into an `I won't be using that distro any time soon` category.

Again not putting down Gentoo just adding my observations

Re:Gentoo (5, Insightful)

TheIzzy (615852) | more than 10 years ago | (#7635813)

Hello?

Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.

If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.

Credits (4, Informative)

Anonymous Coward | more than 10 years ago | (#7635518)

Credits
-------

The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this
response:

* Timo Sirainen

* Mike Warfield

* Paul Russell

* Andrea Barisani

Regards,

The rsync team

http://lwn.net/Articles/61541/

Re:Gentoo (0)

Anonymous Coward | more than 10 years ago | (#7635584)

I'm disappointed, had this been redhat or microsoft this would have been posted 14 hours ago. Not even a mention of Gentoo's compromise *sigh*
talk about FUD. what about -FUD? NO fear no UNcertainty and NO doubt?

hmm has ./ effect worked on rsync yet... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7635478)

guess we are about to find out in about 10 mins.

mirror (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635482)

rsync 2.5.6 security advisory
December 4th 2003

Background
The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date.

Our conclusions are that:

rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can be used to remotely run arbitrary code.
While this heap overflow vulnerability could not be used by itself to obtain root access on a rsync server, it could be used in combination with the recently announced brk vulnerability in the Linux kernel to produce a full remote compromise.
The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.
Please note that this vulnerability only affects the use of rsync as a "rsync server". To see if you are running a rsync server you should use the netstat command to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running a rsync server.

New rsync release
In response we have released a new version of rsync, version 2.5.7. This is based on the current stable 2.5.6 release with only the changes necessary to prevent this heap overflow vulnerability. There are no new features in this release.

We recommend that anyone running a rsync server take the following steps:

Update to rsync version 2.5.7 immediately.
If you are running a Linux kernel prior to version 2.4.23 then you should upgrade your kernel immediately. Note that some distribution vendors may have patched versions of the 2.4.x series kernel that fix the brk vulnerability in versions before 2.4.23. Check with your vendor security site to ensure that you are not vulnerable to the brk problem.
Review your /etc/rsyncd.conf configuration file. If you are using the option "use chroot = no" then remove that line or change it to "use chroot = yes". If you find that you need that option for your rsync service then you should disable your rsync service until you have discussed a workaround with the rsync maintainers on the rsync mailing list. The disabling of the chroot option should not be needed for any normal rsync server.
The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites. We expect that CmdrTaco will have anal sex with a twelve-year-old boy shortly.

Credits
The rsync team would like to thank the following individuals for their assistance in investigating this vulnerability and producing this response:

Timo Sirainen
Mike Warfield
Paul Russell
Andrea Barisani
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0962 to this issue.

Regards,

The rsync team

Whoever modded this Informative... (-1)

Anonymous Coward | more than 10 years ago | (#7635528)

Didn't see
The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites. We expect that CmdrTaco will have anal sex with a twelve-year-old boy shortly.
and is therefore an idiot.

Re:Whoever modded this Informative... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635542)

You didn't know that CmdrTaco is a gay pedophile?

Re:Whoever modded this Informative... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7635562)

and is therefore an idiot.

I wouldn't go that far, buddy. Maybe uncareful and not deserving of moderator status, but not an idiot.

anon post (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7635484)

First post!!!! oh, anon coward user ... grrr gotta remember to log in next time :)

Eh? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635487)

Nobody runs rsync as a publicly accessible service anymore. It's almost always used in conjunction with ssh on untrusted networks. Doesn't the poster have any idea what he's posting about? This is a non-starter.

Re:Eh? (5, Informative)

uncleFester (29998) | more than 10 years ago | (#7635626)

Nobody runs rsync as a publicly accessible service anymore.

oh really?

i rsync my local copy of slacware-current from carroll.cac.psu.edu. probably half the listed servers on the slack mirrors list (many of which host many other projects besides slack) do rsync. gentoo uses rsync for portage. kernel.org supports rsync for kernel/patch transfers.. as does sourceforge.

me thinks thou should pull thine head out of thine ass before making such silly comments. for a number of read-only connections, rsync is still quite popular.

Re:Eh? (1)

cshields2 (302042) | more than 10 years ago | (#7635676)

You obviously don't understand how open source mirroring networks propagate their data. Ask the admin of your favorite mirror how he gets his stuff..

chroot (4, Insightful)

larry bagina (561269) | more than 10 years ago | (#7635494)

The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.

Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?

Re:chroot (4, Insightful)

syntax (2932) | more than 10 years ago | (#7635499)

How about complete remote backups of the root file system?

Re:chroot (1)

MacJedi (173) | more than 10 years ago | (#7635629)

Agreed. That's exactly what i use it for. (just updated to a patched version too; thank you security.debian.org!)

The only problem I have is that file permissions are not preserved. My solution is to run:

ls -Rl / | /usr/bin/bzip2 > /root/perms.txt.bz2

prior to each backup so that there is at least a record of the permissions. Does anyone know a better way?

Re:chroot (3, Informative)

toast0 (63707) | more than 10 years ago | (#7635688)

use the --perms option to rsync

from the manpage:

"This option causes rsync to update the remote permissions to be the same as the local permissions."

RTFM

Re:chroot (3, Informative)

Saganaga (167162) | more than 10 years ago | (#7635690)

rsync --help
Options
...
-a, --archive archive mode, equivalent to -rlptgoD
...
-r, --recursive recurse into directories
-l, --links copy symlinks as symlinks
-p, --perms preserve permissions
-o, --owner preserve owner (root only)
-g, --group preserve group
-D, --devices preserve devices (root only)
-t, --times preserve times
-S, --sparse handle sparse files efficiently
...
So in other words, you want to use option -p. Or why not just use -a as the docs suggest?

Re:chroot (2, Funny)

Anonymous Coward | more than 10 years ago | (#7635538)

perhaps they were saving themselves for chmarriage

*boomtish*

*ducks flying rotten fruit*

Workaround (3, Informative)

elvum (9344) | more than 10 years ago | (#7635498)

...or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing.

Re:Workaround (1)

fifirebel (137361) | more than 10 years ago | (#7635504)

Duh. There's no work-around if you want to connect anonymously.

Re:Workaround (1)

Trejkaz (615352) | more than 10 years ago | (#7635642)

Other than, of course, a well-known public username and password, such as 'anonymous' and 'anonymous'. Or an anonymous account with no password but who is still permitted to login.

Re:Workaround (2, Insightful)

morelife (213920) | more than 10 years ago | (#7635525)


don't run rsync as a server


is not a workaround -- it's throwing the baby and the server out with the bathwater!

Re:Workaround (0)

Anonymous Coward | more than 10 years ago | (#7635534)

cause encrypting all that data is slower then shit.

i've no need for encryption.

Re:Workaround (2, Insightful)

brassman (112558) | more than 10 years ago | (#7635572)

...connect with the "-e ssh" flag

That's how I use it, but I'm not running a site like Gentoo's.

If I were, I'd rather run an rsync server than give shell logins to every Tom Dick and Mary.

Re:Workaround (4, Interesting)

pHDNgell (410691) | more than 10 years ago | (#7635630)

or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing

What if I don't want system users for every rsync user? What if I need to run my connections through an http proxy server (yes, I really, really do)? What if I want standard mechanisms for listing available modules? What if I want to limit the number of simultaneous connections for a specific area? What if I want to limit the files available in a specific area? What if I want to transfer sensitive files on a system periodically from cron, but I don't want to have an ssh key that grants access to do this without a password on the recipient machine?

I think that pretty much sums up the ways I most commonly use rsync around the house. I do use it with the -e ssh option for one-off things sometimes as well, but not running a server is certainly no workaround for me.

rsync (5, Funny)

Anonymous Coward | more than 10 years ago | (#7635511)

News Flash:

rsync releases a patch and changes its name to r'sync. The change is noted to increase its name recognition in the teenybopper script kiddie market. At this point, no pimply-faced l337 d00dz will dare deface r'sync for fear that they will be further alienated by the female species.

Unfortunately, timberlake and FatOne continue to be backdoored.

Re:rsync (5, Funny)

prog-guru (129751) | more than 10 years ago | (#7635609)

Rsync is also the preferred transfer method of pirates, software and treasure hunting ('arrr sync').

Re:rsync (0)

Anonymous Coward | more than 10 years ago | (#7635619)

or the bane of dishwashers everywhere ('our sink')

HOWTO (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635524)

How to install software on Windows

1. Run installation program

How to install software on Linux

1. Download 'tarball'. If you dont know what that is then stop and go back to your wussy operating system, you pus.
2. Run gunzip on the file.
3. Run tar -xvf on the resulting file.
4. Type make config. Answer the questions. If you dont know how to answer the questions then stop and go back to your wussy operating system, you pus.
5. Type make.
6. Fix compilation errors by resolving dependencies or editing the code to fix the bugs.
7. Log bugs on sourceforge.net.
8. Type make install.
9. Run chmod 666 on the resulting file.
10. Attempt to execute the resulting file, and hope that you have the correct distro and the correct window system that the software author had in mind.

Re:HOWTO (1)

Old Wolf (56093) | more than 10 years ago | (#7635652)

Actually you can combine steps 2 and 3, saving keystrokes:

tar xzvf

This has been possible in every OS (except windows) I've ever used (except for old versions of sunos)

Re:HOWTO (0)

Anonymous Coward | more than 10 years ago | (#7635664)

Umm.. chmod 666 doesn't make it executable, dumbass. Meanwhile 'emerge programname'.

Re:HOWTO (0)

Anonymous Coward | more than 10 years ago | (#7635805)

dumbass, its a refrence to the number of satan.

Re:HOWTO (-1, Troll)

StarFace (13336) | more than 10 years ago | (#7635781)

Corrected for Content Errors:

How to install software on Windows

1. Find software's homepage.
2. Try to figure out where their download link is amidst all of the marketing fluff.
3. Click the "Agree" on the download link, signing away everything you own.
4. Double-click the installation icon.
5. Click "Agree" to EULA; finish installation.
6. Reboot.
7. Get attacked by little balloons helpfully informing you that you have installed new software. Find software in the Start Menu.
8. Click "Use Trial"
9. Dialog box informs you that you have 30 days to try it, and that the save features have been disabled.
10. Cuss.
11. Load up browser software and search for a cracked version.
12. Get attacked by several hundred pop-ups.
13. Cuss profusely.
14. Download crack.
15. Double-click installation icon.
16. Reboot.
17. Two days later your broadband gets cut off by the ISP because you've been trojaned and are sending out 800,000 penis spam mails per minute.
18. Cuss. Reboot. Cuss.
19. Search for Windows XP installation CD.
20. [Insert five hundred step process for installation and reboots.]
...
520. Friendly balloon asks you to activate your software for your protection.
521. Your Internet is still offline, so you call Microsoft.
522. Wait 50 minutes. Cuss.
523. Relay the 255 digit long activiation sequence number to the Microsoft representive. He hears it wrong.
524. Repeat number slowly.
525. Representive informs you that you have already activated XP too many times, and you'll have to purchase another copy. Would you like to be transferred to the sales department?
526. Cuss.
527. Find Debian installation CDs.

How to install software on Linux

1. type: apt-get install [application name]

So... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7635529)

It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

It seems obvious where the real talent in the Linux community lies today.

Re:So... (5, Insightful)

Anonymous Coward | more than 10 years ago | (#7635691)

It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

It seems obvious where the real talent in the Linux community lies today.

In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.

Wow! (0)

Anonymous Coward | more than 10 years ago | (#7635710)

Wow, you mean Debian people know how to read source code? I thought they were all spoiled by using binaries all the time.

Re:Wow! (0)

Anonymous Coward | more than 10 years ago | (#7635749)

Well it's not like gentoo people read the source to their apps either they just had a lot more free time while they where waiting for X, KDE, and Mozilla to compile...

Seriously I don't know why people think they are special for compiling software. Wow, you figured out how to do "./configure, make, make install", wow, quick! Someone give this guy a CS masters!

Advice for everybody: (0)

Anonymous Coward | more than 10 years ago | (#7635537)

For the LOVE OF EVERYTHING SACRED, please everyone patch every box on which you are root.

Re:Advice for everybody: (2, Funny)

Anonymous Coward | more than 10 years ago | (#7635605)

Also, patch every box which you root thanks to linux and rsync security problems.

who sync? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635564)

Am I the only one who read that as "NSync released to fix vulnerability"?

I know the one dude is interested in space, but trusted computing?

Re:who sync? (0, Offtopic)

ObviousGuy (578567) | more than 10 years ago | (#7635615)

Baby I got the Trojans
And baby I got the disease
You've got me wide open, baby
You're bringin' me to my knees.

You've found my weak spot, child
I'm running the love facility
You've wormed your way into my heart baby
You've found my vulnerability

whoa oh ohhh baby baby

Why do we have unsecure webservers? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635586)

Webserving is an excruciatingly easy task: the server gets a request like "http://slashdot.org/about.shtml", the server sends that file. That's all. How someone can fail this is beyond me.

Yet another Linux failure. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7635602)

Crow is starting to taste pretty good, eh Slashdot?

this is why i dont use any package management (3, Funny)

n0k14 (719810) | more than 10 years ago | (#7635604)

i do it the slack way.

Re:this is why i dont use any package management (0)

Anonymous Coward | more than 10 years ago | (#7635763)

You must not be very skilled with Slack since Slack does have package management.

Slack has REALLY REALLY SHITTY package management, yes of course, but it does have package management.

People who go around trying to act leet becuase they "use slack which doesn't use package management" just show what a big noob wanna be leet ass clown they are.

arg. (4, Funny)

mikeee (137160) | more than 10 years ago | (#7635606)

Of course, to patch this, you should go to your local mirror, which will be down until they patch the rsync vulnerablity...

Doh!

Re:arg. (0)

Anonymous Coward | more than 10 years ago | (#7635823)

No kidding! Fortunately, the problem only exists for running rsync as a daemon/server not as a command line utility.

Rsync Protocol Was a Bad Idea (-1, Troll)

evilviper (135110) | more than 10 years ago | (#7635632)

I don't know why they even invented an rsync protocol. Things like CVS are very commonly run over SSH, and are rather effecient that way. What's the point of another network protocol, with more bugs to work out, and more security issues to be concerned with? Wonderful... More duplication of effort.

Incidentally. Does anyone know of a program similar to rsync that is under a less restrictive license than the GPL? It would be very useful.

Re:Rsync Protocol Was a Bad Idea (1)

prog-guru (129751) | more than 10 years ago | (#7635670)

rsync is very good for incremental updates of large files, like backups, and big dns zone files (I learned about it when setting up a slave for a dns blacklist).

BitTorrent might be worth a try too, I don't think it does incremental but should be faster than scp or ftp.

Re:Rsync Protocol Was a Bad Idea (1)

ari_j (90255) | more than 10 years ago | (#7635780)

You might want to try Unison [upenn.edu]. It's basically a bidirectional rsync. It's GPL, but it does a great job. Much more reliable (when run over ssh, at least) than rsync and less of a hassle to train users how to get their files synchronized. I even have it working successfully in an all-Windows environment, including setting file ownership right (rsync did not do that for me when run as a daemon; SYSTEM owned all the files).

Re:Rsync Protocol Was a Bad Idea (2, Insightful)

timeOday (582209) | more than 10 years ago | (#7635685)

What's the point of another network protocol, with more bugs to work out, and more security issues to be concerned with? Wonderful... More duplication of effort.

Incidentally. Does anyone know of a program similar to rsync that is under a less restrictive license than the GPL? It would be very useful.

So you think rsync is redundant and unnecessary, and you want to start a new fork of rsync? That makes a lot of sense.

Re:Rsync Protocol Was a Bad Idea (5, Informative)

Qzukk (229616) | more than 10 years ago | (#7635720)

What's the point of another network protocol

Unlike ssh, rsync daemon doesn't require a user on the host system. Unlike ftp or http, rsync updates by splitting files into blocks and updating changed blocks. Unlike scp, the config file can exclude/include certain files/paths/etc. without requiring the use of filesystem permissions. (it also has password protection).

Does anyone know of a program similar to rsync

Nah, there wasn't a point to it.

Re:Rsync Protocol Was a Bad Idea (4, Informative)

CheshireCat (73975) | more than 10 years ago | (#7635733)

CVS and rsync are different applications with different uses.

CVS maintains a history of all revisions made to the files in the repository. It doesn't even have a means to synchronize clients without a versioned repository on the server, it relies on the server knowing all past revisions to determine which changes to send to the client.

Rsync works with plain files on the server, not RCS. if you *need* revision control, it's useless, but if you only want to be able to synchronize client files to match the files on the server, it's much better than CVS. The server saves space and complexity by not having to do revision control, and the client still gets the benfits of the server only needing to transmit the changed portions of files.

Fortunately... (1, Informative)

Anonymous Coward | more than 10 years ago | (#7635633)

It doesn't look like ersync is open to this particular vulnerability. Although to my knowledge that doesn't run without chroot.

FSF Savannah Server Compromised (5, Informative)

molo (94384) | more than 10 years ago | (#7635636)

The FSF Savannah server has been hacked. The statement indicates a similar attack vector as the exploit against the Debian systems. However, it had been hacked nearly a month ago and was not detected until December 1st. For those that are not familar with it, Savannah is the FSF [fsf.org] version of Sourceforge [sourceforge.net], hosting both GNU and non-GNU Free Software projects. It has not yet been determined whether any of the projects' source code has been modified. Read the full statement [gnu.org] for details. One thing is certain though, with Debian [debian.org], Gentoo [gentoo.org] and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

Re:FSF Savannah Server Compromised (2, Interesting)

Feztaa (633745) | more than 10 years ago | (#7635679)

One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

While it can be somewhat distressing, these attacks can only make us stronger.

It's kinda sad, really. I mean, we're just a big happy group of people who write code for the fun of it, and then share it with everybody else. We're a decent bunch. What did we do to deserve all this hostility?

PGP-sign everything (4, Insightful)

Meat Blaster (578650) | more than 10 years ago | (#7635724)

I see too many packages out there that have no meaningful way to verify their contents. I've felt for a long time that this was something that was going to come back to haunt us.

I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.

Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.

Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.

Re:FSF Savannah Server Compromised (0)

Anonymous Coward | more than 10 years ago | (#7635755)

now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

Excuse me but how is the 'Open Source Community' being attacked? This seems to me (judging by your post) to possibly be the same person. A few instances does not make WWIII on the OS community. Sure it sucks but it's not the end of the world. Now I know I'm going to get mod'ed down so no one sees this from the zealots, but fact is, if they'd assessed security beforehand this definitely would not have happened.

Shockingly to hear FSF getting hit twice diminishes any argument one would be willing to lob at MS at least MS' sites themselves have not been '0wned'. Sadly this makes me wonder if Linux is really ready for prime time on the corporate level.

Wait before you call me a Windows whore, think again [netcraft.com]. Sad really is but this could have been avoided with the proper firewall, group, users, IDS info/lists in place.

WOW "ATTACK VECTOR" WELL DONT U SOUND LEET (0)

Anonymous Coward | more than 10 years ago | (#7635782)

Wow, you sound like a cybersecurity super important guy!!!1

UR K00L!!!!

Probably Microsoft Mercenaries... (0)

Anonymous Coward | more than 10 years ago | (#7635836)

While Microsoft's right hand offers millions to hunt down Windows hackers, the left could easily pay Eastern European hackers to open holes in OSS. We would never know.

I'm sorry (-1, Troll)

NoNine (690801) | more than 10 years ago | (#7635646)

I tried very hard to find something funny to comment on in this announcement [samba.org], but could not.

Feel free to mod me wayyy down! I have that syncing feeling.

Wow, that was fast (0, Interesting)

Steve 'Rim' Jobs (728708) | more than 10 years ago | (#7635659)

I'd really like to take this opportunity to congratulate both the Gentoo devs and the rsync devs on a job well done. This is one of the many reasons why I continue to use and recommend Open Source to my friends, my boss, and my colleagues. The community simply does a first rate job of identifying and patching problems in their software. Most commercial software vendors wish they had a track record as good as most of the important open source projects out there.

Keep up the great work, guys! I'm definitely donating to the Gentoo project this Xmas ;) It has put the fun back in computing for me.

Re:Wow, that was fast (0)

Anonymous Coward | more than 10 years ago | (#7635735)

As things stand, we're apparently looking ahead to doubling or maybe even tripling the number of security flaws detected and fixed over the next year. Clearly, the system is working.

Re:Wow, that was fast (0, Troll)

Steve 'Rim' Jobs (728708) | more than 10 years ago | (#7635791)

Even so, their track record is still better than most proprietary software vendors. With OSS, at least no one is attempting a coverup - you know exactly how good or bad the software is. With proprietary software, you have to take their word for it. Not only that, but they often take months to patch known vulnerabilities; sometimes they've even threatned people who attempted to disclose these flaws to customers with fines or even jail.

SSR#4 (2, Funny)

Anonymous Coward | more than 10 years ago | (#7635739)

This calls for Standard Slashdot Response #4:
Yay! This was so fast. Even when we suck we don't suck!

I would just like to say... (5, Informative)

LnxAddct (679316) | more than 10 years ago | (#7635745)

For all you naysayers who always talk trash about Fedora, I run fedora and debian and fedora alerted me this morning about the problem and patched it in seconds. I updated debian too, but I usually dont update on a daily basis, usually like once a week or something, unless I see something in the news. I would have had no clue about this for about a 3 days if i hadn't read slashdot and didn't have Fedora to alert me. I personally like Debian better for other reasons, but I'm just saying dont bang on Fedora, its a damn good product.

Re:I would just like to say... (1)

TrombaMarina (712932) | more than 10 years ago | (#7635825)

I booted up this evening, got the up2date Red Hat Network notice, installed the Rsync patch in about 30 seconds, then surfed around. An hour later, I was reading /.. When I returned to the home page, I saw this article had just been posted. I'm glad to hear Fedora is on top of these things since I'll have to switch to it in a few months.

Woot! Gentoo rule! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7635771)

The Gentoo team found the fix a LOT faster than Debian would have, because they compiled everything from SOURCE, giving MASSIVE speed improvements!

And in other news... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7635840)

people running BSD continue on with their lives
not bothering to patch rsync because they don't need to.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...