[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU mirror going away



> say "[Note]: due to resource and security concerns, we no longer use
> rsync to update mirrors."  Since I only mirror things I can rsync,
> well...  I'm sure you all see the problem here.

While I'm sure you're a smart guy, Steve, you really ought to give them credit
for not making a rash decision on this. Perhaps they have very good reasons for
doing so. Perhaps you should consider those reasons before making your 
determination of betting the farm on your own rsync and security abilities.

From http://rsync.samba.org/

> rsync 2.5.6 security advisory, December 4th 2003
> Background
> The rsync team has received evidence that a vulnerability in rsync was 
> recently used in combination with a Linux kernel vulnerability to compromise 
> the security of a public rsync server. While the forensic evidence we have 
> is incomplete, we have pieced together the most likely way that this attack 
> was conducted and we are releasing this advisory as a result of our 
> investigations to date.
> 
> Our conclusions are that:
>
> * rsync version 2.5.6 and earlier contains a heap overflow vulnerability 
>   that can be used to remotely run arbitrary code.
> * While this heap overflow vulnerability could not be used by itself to 
>   obtain root access on a rsync server, it could be used in combination 
>   with the recently announced brk vulnerability in the Linux kernel to 
>   produce a full remote compromise.
> * The server that was compromised was using a non-default rsyncd.conf option 
>   "use chroot = no". The use of this option made the attack on the 
>   compromised server considerably easier. A successful attack is almost 
>   certainly still possible without this option, but it would be much more 
>   difficult. 
>
> Please note that this vulnerability only affects the use of rsync as a 
> "rsync server". 

http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00213.html

http://lwn.net/Articles/61230/

http://lists.debian.org/debian-dpkg/1999/debian-dpkg-199908/msg00035.html

While I'm also sure you're quite good at maintaining the security of your
systems, I'd have to say that, just perhaps, that you consider that there are
some pretty smart folks at GNU, Debian, Gentoo, SuSE, Mandrake, and several
other distros that have serious security and resource concerns over rsync.
Perhaps you should not dismiss their decision so readily based only on your
religious zeal over rsync.

I'm just saying your policy of "I only mirror with rsync" may be impacted by
several high-profile sites you mirror taking down their rsync servers due to
these security concerns, thus diminishing the value of your mirrors (i.e. fewer
of them), irregardless of the merits of the bandwidth savings of using rsync.

BTW, just out of curiosity, what portion of your bandwidth usage is just mirror
updates?

Oh, and you *CAN* mirror GNU with rsync from rsync://mirror.mcs.anl.gov/gnu/

Check out the other stuff they mirror as well http://mirror.mcs.anl.gov/

Maybe you'll reconsider? Although, if your point was partially to drop 
mirroring GNU due to lack of interest, then maybe we can fill up that 
recently freed up disk space and finally get that SuSE mirror from ANL as 
well? :=)

Mike/

---------------------------------------------
http://www.valuenet.net



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.