|
COMMAND rsync group group privilege vulnerability SYSTEMS AFFECTED 2.5.3 and previous PROBLEM Ethan Benson found that rsyncd fails to drop root\'s groups (as explained in Mandrake advisory MDKSA-2002:024) : The supplementary groups that the rsync daemon runs as (such as root) would not be removed from the server process after changing to the specified unprivileged uid and gid. This seems only serious if rsync is called using \"rsync --daemon\" from the command line where it will inherit the group of the user starting the server (usually root). SOLUTION Upgrade to last version, 2.5.4, which also correct the zlib double free bug.