|
|
|
|
|
|
by kees99
519 days ago
|
|
|
> you are safe if your rsync is only via secure connections Not quite. If server has "command=rsync ..." in ~/.ssh/authorized_keys file, for some ssh key (to allow rsync access, but deny shell access), this vulnerability will allow attacker in possession of that ssh key to go around that restriction, and get shell nonetheless. |
|
|
If I was running an rsync daemon facing the public, it would be in a chroot with dropped privileges.