rsync

mirror/rsync

Fork 0

mirror of https://github.com/RsyncProject/rsync.git synced 2026-05-31 18:26:12 -04:00

Commit Graph

Author	SHA1	Message	Date
Andrew Tridgell	e1c5f0e93a	t_chmod_secure: probe kernel RESOLVE_BENEATH at runtime; drop test skip The chmod-symlink-race test was previously a no-op on Solaris, OpenBSD, NetBSD, and Cygwin via a case 'uname -s' skip. The skip was too broad: of the four scenarios the helper exercises, only the 'legitimate within-tree dir-symlink' one actually needs RESOLVE_BENEATH-equivalent kernel support. The other three (attack rejection, plain relative path, top-level file) behave identically on the per-component O_NOFOLLOW fallback and would have caught the t_stub.c max_alloc=0 bug fixed in the previous commit if the test had been allowed to run. Make the helper probe the running kernel for either openat2(RESOLVE_BENEATH) on Linux 5.6+ or openat(O_RESOLVE_BENEATH) on FreeBSD 13+ / macOS 15+ by opening '.' under the requested confinement. Honour the result: - If RESOLVE_BENEATH-equivalent confinement is available, the within-tree symlink scenario must succeed (status quo). - If not, the per-component O_NOFOLLOW fallback rejects every symlink including legitimate ones; expect the within-tree symlink scenario to be rejected (rc != 0) and the file mode to remain unchanged. The attack-rejection, plain-path and top-level scenarios are unchanged: they expect the same outcome on both code paths. Drop the case-based skip from chmod-symlink-race.test so the test runs everywhere and the per-component fallback gets the CI coverage that the SunOS/OpenBSD/NetBSD/Cygwin runners can provide. HPE NonStop -- which lacks RESOLVE_BENEATH but isn't in the existing skip list -- is also covered by this change.	2026-05-21 07:40:30 +10:00
Andrew Tridgell	862fe4eeaf	syscall+receiver: secure receiver-side do_chmod against symlink-race TOCTOU CVE-2026-29518's fix routed the receiver's open() through secure_relative_open(), but every other path-based syscall the receiver runs on sender-controllable paths is vulnerable to the same TOCTOU primitive. This commit closes the chmod variant. Add do_chmod_at() that opens the parent of fname under secure_relative_open() and uses fchmodat() against the resulting dirfd. Gate the secure path on am_daemon && !am_chrooted (the same gate use_secure_symlinks already uses for the receiver basis-file open), so non-daemon callers and chrooted daemons keep the original do_chmod() fast path. Migrate the receiver-side do_chmod() call sites in delete.c, generator.c, rsync.c, and xattrs.c. Adds testsuite/chmod-symlink-race.test (with t_chmod_secure helper) as regression coverage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-20 10:01:22 +10:00

Author

SHA1

Message

Date

Andrew Tridgell

e1c5f0e93a

t_chmod_secure: probe kernel RESOLVE_BENEATH at runtime; drop test skip

The chmod-symlink-race test was previously a no-op on Solaris,
OpenBSD, NetBSD, and Cygwin via a case 'uname -s' skip.  The skip
was too broad: of the four scenarios the helper exercises, only
the 'legitimate within-tree dir-symlink' one actually needs
RESOLVE_BENEATH-equivalent kernel support.  The other three
(attack rejection, plain relative path, top-level file) behave
identically on the per-component O_NOFOLLOW fallback and would
have caught the t_stub.c max_alloc=0 bug fixed in the previous
commit if the test had been allowed to run.

Make the helper probe the running kernel for either
openat2(RESOLVE_BENEATH) on Linux 5.6+ or openat(O_RESOLVE_BENEATH)
on FreeBSD 13+ / macOS 15+ by opening '.' under the requested
confinement.  Honour the result:

  - If RESOLVE_BENEATH-equivalent confinement is available, the
    within-tree symlink scenario must succeed (status quo).
  - If not, the per-component O_NOFOLLOW fallback rejects every
    symlink including legitimate ones; expect the within-tree
    symlink scenario to be rejected (rc != 0) and the file mode
    to remain unchanged.

The attack-rejection, plain-path and top-level scenarios are
unchanged: they expect the same outcome on both code paths.

Drop the case-based skip from chmod-symlink-race.test so the test
runs everywhere and the per-component fallback gets the CI
coverage that the SunOS/OpenBSD/NetBSD/Cygwin runners can
provide.  HPE NonStop -- which lacks RESOLVE_BENEATH but isn't in
the existing skip list -- is also covered by this change.

2026-05-21 07:40:30 +10:00

Andrew Tridgell

862fe4eeaf

syscall+receiver: secure receiver-side do_chmod against symlink-race TOCTOU

CVE-2026-29518's fix routed the receiver's open() through
secure_relative_open(), but every other path-based syscall the
receiver runs on sender-controllable paths is vulnerable to the
same TOCTOU primitive. This commit closes the chmod variant.

Add do_chmod_at() that opens the parent of fname under
secure_relative_open() and uses fchmodat() against the resulting
dirfd. Gate the secure path on am_daemon && !am_chrooted (the same
gate use_secure_symlinks already uses for the receiver basis-file
open), so non-daemon callers and chrooted daemons keep the original
do_chmod() fast path.

Migrate the receiver-side do_chmod() call sites in delete.c,
generator.c, rsync.c, and xattrs.c.

Adds testsuite/chmod-symlink-race.test (with t_chmod_secure helper)
as regression coverage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-20 10:01:22 +10:00

2 Commits