New rsync Released to Fix Vulnerability

cshields2 writes "Today the rsync developers have released a new version that fixes an exploitable security vulnerability when running rsync as an 'rsync server.' Any server out there running rsync should check this out and upgrade if necessary. (which is every open source mirror server out there, and many mirrors themselves)"

Gentoo

[lisany]

This is what got the cracker in (plus the brk kernel thing) into the Gentoo Rsync server. All fixed now tho!

Re:Gentoo

[keesh]

That's, what, 24 hours or so from the attack to a full patch to a previously unknown exploit being released? Gotta give those Gentoo guys some credit, that's damned impressive...

Re:Gentoo

[Anonymous Coward]

what would have been more impressive is, if it wouldn't have happened in the first place. I could understand maybe if a port slipped by someone, but shoddy security it's rather sad. Don't take this as a troll post my coworker is a Gentoo devel, and we've spoken about this back and forth.

What would be nice, would be if some of the developers focused on security from the jump, sort of OpenBSD'ish, and no I'm not making a comparison, sort of throwing an idea for devels to use preemptive strikes, assessing a s

Re:Gentoo

[TheIzzy]

Hello?

Security breaches happen. Even on OpenBSD and other "secure" systems. If you looked into the event at all, you would see that Gentoo did indeed have excellent security counter measures in place. No amount of firewalling is going to stop an *unknown* vulnerability from being exploited. No amount of security auditing is going to find *every* exploit in code as complex as gentoo's. The fact that the compromised server could be restored, and the compromising code be analysed and fixed within twenty-four hours is very impressive. If anything, this is a testiment to the security at gentoo.

If I were a CTO or someone who was checking to make a switch, this would be very impressive. I don't, however, think this is gentoo's target audience. But I do know that Microsoft definitely does not have turn-around times that impressive.

Re:Gentoo

[Dr. Manhattan]

Security breaches happen.

That's why I wrote Ostiary [homeunix.org], because I can't afford to keep up with all the latest patches the instant they come out. It can be used to remotely enable and disable services (by starting/stopping, them, altering the hosts.allow/deny files, etc.)

The protocol it uses is so brick stupid it's effectively unhackable. It can still be DOSed, of course, but nobody's come up with a way to directly subvert it. It's very small and light, there's even a Palm client for it. No, it's not the an

Re:Gentoo

[LinuxHam]

If you want to consider IBM's well-publicized support, then don't forget about SuSE [ibm.com].

Re:Gentoo

[rifter]

Wrong... Microsoft usually releases a patch months BEFORE any attack, yet it still happens because nobody bothers to patch. (i.e., code red, sql slammer). So, who has the lower tunaround time? Microsoft at -3 months or Gentoo at +1 day after you have been rooted?

OSS/Free software usually tries not to mess up in the first place. They also fix problems in the code before exploits. But everyone is human and shit happens. The fact is slashdot has reported on patches for vulnerabilities on many platforms

Re:Gentoo

[AstroDrabb]

I'd have to agree to this "trollish" post. Fedora Core 1 came out of the box with a kernel that was patched against this hole. The patch was out, Gentoo and Debian just didn't apply it. Though, the rsync hole did require an apt-get under Fedora to upgrade it.

Re:Gentoo

[broeman]

again! It was not Gentoo's server or anything ... it was a third-party rsync server mirror (there are many). Gentoo has told all their mirrors to update to rsync 2.5.7, but they cannot know how every machine is setup around the world. They can make some guidelines to the mirror-hosts, but it is up to them to comply to it, to be a official mirror-site.

Re:Gentoo

[AstroDrabb]

Ahh, ok. This story is a little trollish by making it sound as if it was a "official" Gentoo server. Though, one of the Gentoo guys should check the "official" rsync mirrors and pull them from the DNS round robin if they are not patched correctly. Of course if there are tons of rsync servers, that could be a little bit too much work.

Re:Gentoo

[TwistedGreen]

...a full patch to a previously unknown exploit...

It certainly wasn't unknown to the cracker.

Re:THATS GENTOO PROPOGANDA, ZEALOT

[bleakcabal]

Actually you should get your story straight it wasn't gentoo's server that got owned. It was a third-party server that among many things provides a mirror for gentoo rsync servers. This server is administred and run by a third party which is not linked to Gentoo.

Credits

[Anonymous Coward]

Credits
-------

The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this
response:

* Timo Sirainen

* Mike Warfield

* Paul Russell

* Andrea Barisani

Regards,

The rsync team

http://lwn.net/Articles/61541/

Re:Gentoo

[placeclicker]

Oddly, i never saw the word "gentoo" mentioned in ANYTHING i read about this update. They only said "a public rsync server".

It must have been this exploit, though.

Re:Gentoo

[keesh]

It was [gentoo.org].

Re:Gentoo

[IWannaBeAnAC]

WTF are you talking about? It was a huge story a day or two ago: Gentoo Rsync server compromised [slashdot.org]

chroot

[larry bagina]

The server that was compromised was using a non-default rsyncd.conf option "use chroot = no". The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.

Maybe I can't see the forest for the trees, but why would you NOT want to be chrooted?

Re:chroot

[syntax]

How about complete remote backups of the root file system?

Re:chroot

[MacJedi]

Agreed. That's exactly what i use it for. (just updated to a patched version too; thank you security.debian.org!)

The only problem I have is that file permissions are not preserved. My solution is to run:

ls -Rl / | /usr/bin/bzip2 > /root/perms.txt.bz2

prior to each backup so that there is at least a record of the permissions. Does anyone know a better way?

Re:chroot

[toast0]

use the --perms option to rsync

from the manpage:

"This option causes rsync to update the remote permissions to be the same as the local permissions."

RTFM

Re:chroot

[Saganaga]

rsync --help

Options
...
-a, --archive archive mode, equivalent to -rlptgoD
...
-r, --recursive recurse into directories
-l, --links copy symlinks as symlinks
-p, --perms preserve permissions
-o, --owner preserve owner (root only)
-g, --group preserve group
-D, --devices preserve devices (root only)
-t, --times preserve times
-S, --sparse handle sparse files efficiently
...

So in other words, you want to use option -p. Or why not just use -a

Snapshot-Style Backups with rsync

[Rescate]

You might want to take a look at Easy Automated Snapshot-Style Backups with Linux and Rsync [mikerubel.org] posted by Mike Rubel. I think this is mentioned in the book Linux Server Hacks [oreilly.com] by O'Reilly (hack #42 [oreilly.com]), although I don't have the book so I'm not sure.

Basically it uses rsync and cp to create a backup, but only changed files are actually copied; unchanged files are simply linked to. This saves a lot of disk space, and allows you to keep many backups on the system at one time, assuming most of your files don't chang

Remote backups using rsync.

[Nurf]

Have a look at rdiff-backup. It uses ssh to login and to run the server on the other side, and runs through the SSH tunnel. Nice from a security perspective. I use it for all of my backup needs. Along with careful use of ssh and private/public key pairs, you can automate it and still keep it fairly secure.

Re:chroot

[hattmoward]

While your response is correct, you probably don't want to see the contents of your /etc/passwd or /etc/httpd/ssl.pem to be potentially advertised. A better bet would be to run a chrooted rsync mirror server (if that's your bag), and use a command-restricted public key to rsync over ssh for backups.

Re:chroot

[Anonymous Coward]

perhaps they were saving themselves for chmarriage

*boomtish*

*ducks flying rotten fruit*

Workaround

[elvum]

...or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing.

Re:Workaround

[fifirebel]

Duh. There's no work-around if you want to connect anonymously.

Re:Workaround

[Trejkaz]

Other than, of course, a well-known public username and password, such as 'anonymous' and 'anonymous'. Or an anonymous account with no password but who is still permitted to login.

Re:Workaround

[morelife]

don't run rsync as a server

is not a workaround -- it's throwing the baby and the server out with the bathwater!

Re:Workaround

[brassman]

...connect with the "-e ssh" flag

That's how I use it, but I'm not running a site like Gentoo's.

If I were, I'd rather run an rsync server than give shell logins to every Tom Dick and Mary.

Re:Workaround

[timeOday]

Besides, the CPU load of ssh'ing all that non-sensitive data would be crushing.

Re:Workaround

[pHDNgell]

or just don't run rsync as a server. There's no need to for most uses anyway - just install the client at both ends and connect with the "-e ssh" flag and you're laughing

What if I don't want system users for every rsync user? What if I need to run my connections through an http proxy server (yes, I really, really do)? What if I want standard mechanisms for listing available modules? What if I want to limit the number of simultaneous connections for a specific area? What if I want to limit the files available in a specific area? What if I want to transfer sensitive files on a system periodically from cron, but I don't want to have an ssh key that grants access to do this without a password on the recipient machine?

I think that pretty much sums up the ways I most commonly use rsync around the house. I do use it with the -e ssh option for one-off things sometimes as well, but not running a server is certainly no workaround for me.

rsync

[Anonymous Coward]

News Flash:

rsync releases a patch and changes its name to r'sync. The change is noted to increase its name recognition in the teenybopper script kiddie market. At this point, no pimply-faced l337 d00dz will dare deface r'sync for fear that they will be further alienated by the female species.

Unfortunately, timberlake and FatOne continue to be backdoored.

Re:rsync

[prog-guru]

Rsync is also the preferred transfer method of pirates, software and treasure hunting ('arrr sync').

this is why i dont use any package management

[n0k14]

i do it the slack way.

Re:this is why i dont use any package management

[quadelirus]

This is why I use package management. Hours before I read about this vulnerability on slashdot (read it just now) my redhat monitor had gone red and I had updated the rsync vulnerability without even a thought to when it was discovered. Its interesting that Redhat had the update so quickly though... good to know.

Re:this is why i dont use any package management

[Pope Raymond Lama]

Please, do not think I intend to start any distro war, or whatever.

But since you mentioned RedHat already had a patch, I'd like to say that the updated Mandrake package is also avalilable. And yes, it works for everybody, not just for mandrake club subscribers.

The main reason I am posting this is for people to see that there are options among the "big distros" to remain with a secure system without having to worry about having an expensive subscription contract signed.

arg.

[mikeee]

Of course, to patch this, you should go to your local mirror, which will be down until they patch the rsync vulnerablity...

Doh!

Package Download

[Hal The Computer]

Instructions on how to update Slackware to the latest and greatest rsync are at:
http://slackware.com/security/viewer.php?l=slackwa re-security&y=2003&m=slackware-security.399741 [slackware.com]
Of course if you're running a server you should theoretically be subscribing to the security mailing list. Right?

Fortunately...

[Anonymous Coward]

It doesn't look like ersync is open to this particular vulnerability. Although to my knowledge that doesn't run without chroot.

FSF Savannah Server Compromised

[molo]

The FSF Savannah server has been hacked. The statement indicates a similar attack vector as the exploit against the Debian systems. However, it had been hacked nearly a month ago and was not detected until December 1st. For those that are not familar with it, Savannah is the FSF [fsf.org] version of Sourceforge [sourceforge.net], hosting both GNU and non-GNU Free Software projects. It has not yet been determined whether any of the projects' source code has been modified. Read the full statement [gnu.org] for details. One thing is certain though, with Debian [debian.org], Gentoo [gentoo.org] and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

Re:FSF Savannah Server Compromised

[Feztaa]

One thing is certain though, with Debian, Gentoo and now the FSF being exploited in the same month, the open source/free software community is clearly under attack.

While it can be somewhat distressing, these attacks can only make us stronger.

It's kinda sad, really. I mean, we're just a big happy group of people who write code for the fun of it, and then share it with everybody else. We're a decent bunch. What did we do to deserve all this hostility?

Re:FSF Savannah Server Compromised

[the_mad_poster]

What makes you think the people that do this sort of thing care about what we 'deserve'?

They could do it for many motivations. On one extreme, there's the profit motivation of an attacker from a competing project (profit in money or recognition - whatever). On the other extreme there's the idiots who do this sort of thing for the hell of it.

There's any number of reasons people do this sort of thing, and some of them don't even involve a motivation!

PGP-sign everything

[Meat Blaster]

I see too many packages out there that have no meaningful way to verify their contents. I've felt for a long time that this was something that was going to come back to haunt us.

I hope that this will provide more incentive for Open Source programmers and Linux distributors to properly secure their releases. This entails ensuring that from the time a package leaves a maintainer to the time it reaches a user there should be no possibility of tampering.

Authors/maintainers need to generate PGP keypairs and start signing their archives. MD5 checksum distributed alongside the package does not cut it -- how are we to know the package wasn't tampered with and a fresh checksum generated? No, the only way we can really feel secure is to have authors use PGP on a regular basis to verify their work, and to integrate public key/private key into CVS in order to have submitters automatically sign their changes to the source.

Then things like the Savannah hack and the various mirror compromises will only be a black eye instead of a serious threat to the Open Source methodology.

Re:PGP-sign everything

[giminy]

Hear, Hear. Along the same lines, it's pretty important that they sign with a key in the strongly connected set. I've seen a lot of projects that actually provide PGP sigs, but the keys used to generate the sigs don't have any signatures, or are part of closed (2-3 key) set! This is about as useless as MD5 checksums, imho. It's very easy to generate a key with Linus Torvalds as the name, but very difficult to get people in the strongly connected set to actually sign it...

Re:PGP-sign everything

[slamb]

Along the same lines, it's pretty important that they sign with a key in the strongly connected set. I've seen a lot of projects that actually provide PGP sigs, but the keys used to generate the sigs don't have any signatures, or are part of closed (2-3 key) set!

I agree that would be ideal, but it's easier said than done. I've got no other signatures on my GPG key now. I want to get some, but I don't know anyone else around here who does that sort of thing. How would I go about getting some? I know they h

Re:PGP-sign everything

[JohnFluxx]

I just took them from linux kernel mailing lists..

sure they could be wrong, but you'd think the real author would notice someone posting technical messages in his name....

Organize a local key-signing party!

[Deven]

I agree that would be ideal, but it's easier said than done. I've got no other signatures on my GPG key now. I want to get some, but I don't know anyone else around here who does that sort of thing. How would I go about getting some? I know they have key signing parties at conventions and such, but I'm a college student, which means I have no money or time to attend such things.

People take advantage of conventions to organize key-signing parties because diverse groups of people from many geographic locale

Re:Organize a local key-signing party!

[slamb]

Organize a local key-signing party. Surely there are many other computer geeks at your college interested in using PGP/GPG. Start getting the geeks together and sign each other's keys. If you can, try to get someone to join the party who is already connected to the worldwide web of trust that most well-known PGP keys are part of. If you can't get anyone well-connected to your key-signing party, don't worry! Creating a local web of trust at your college is a good start, and all it takes isone person who sign

Re:PGP-sign everything

[giminy]

I'd suggesting hitting up Big Lumber [biglumber.com]. You can search for local keysigning parties or start your own. I live in the middle of nowhere (Syracuse, NY) and there are even a few people registered around here. Pretty much any college town is going to have some biglumber people in or near it.

Whenever you travel to a big city, it can be useful to check the site, too. There's nothing like getting a cup of coffee with a crypto nerd to keep you from meeting women in a new city.

Re:PGP-sign everything

[AKnightCowboy]

It's very easy to generate a key with Linus Torvalds as the name, but very difficult to get people in the strongly connected set to actually sign it...

So wouldn't it make more sense to go to a PKI system and use user certificates issued by a trusted name like Verisign? (giggle).

My money's on the shifty-eyed dog with the...

[pr0ntab]

SCO nametag.

Re:FSF Savannah Server Compromised

[Malcontent]

I hope whoever did this was stupid enough to leave some tracks on at least one of the servers. It would be interesting to know who was behind all this.

OSS has pissed off a lot of very rich and powerful people and those people could pay top dollar for a good cracker so they may never get caught.

Re:FSF Savannah Server Compromised

[Malcontent]

" Why do people like you automatically assume that this attack is different from any other attack just because their happening to the servers of Linux distros and advocates"

Why? Because they all used the same vulnaribility which was not known to anybody. They all attacked linux projects (no freebsd ones). They concentrated their attacks on repositories.

"Is it too much for you to imagine that someone wants to put backdoors into Linux?"

Again who would want to do such a thing? I would think that list would

Re:FSF Savannah Server Compromised

[Malcontent]

"Microsoft have been found guilty of anti-trust breaches. Commercial strongarming, illegally using their monopoly position, call it what you will. They have NOT been found guilty of commercial espionage."

OK. But they have been found guilty. They have been sued many many times for stealing technology and backstabbing. Most were settled eventually by MS coughing up hundreds of millions of dollars.

"And SCO may be acting unethically, but I've yet to see them found guilty of anything except stupidity"

Then you

Re:FSF Savannah Server Compromised

[Malcontent]

"but I get the feeling that nothing will make you even consider the alternatives. And that's kind of sad."

There is nothing sadder and a corporate apologist. When I was in High school many many years ago there were people who used to wear Nike shirts and shoes and thought they were superior to people wearing any other brand of shoes. There were guys who would pledge allegience to Ford or Chevy and put little bumber stickers on their cars denigrating the other manufacturer.

I always thought these people were

Re:FSF Savannah Server Compromised

[boots@work]

They have NOT been found guilty of commercial espionage.

Actually, it has been established in court that Microsoft bugged their victim/competitor's hotel room to gather commercial intelligence. This was some time ago, perhaps in the early 90s. I don't know if they were found guilty or even if this was a crime in the relevant jurisdiction. It certainly indicates a willingness to descend to unethical tricks.

And SCO may be acting unethically, but I've yet to see them found guilty of anything except stupi

SSR#4

[Anonymous Coward]

This calls for Standard Slashdot Response #4:
Yay! This was so fast. Even when we suck we don't suck!

I would just like to say...

[LnxAddct]

For all you naysayers who always talk trash about Fedora, I run fedora and debian and fedora alerted me this morning about the problem and patched it in seconds. I updated debian too, but I usually dont update on a daily basis, usually like once a week or something, unless I see something in the news. I would have had no clue about this for about a 3 days if i hadn't read slashdot and didn't have Fedora to alert me. I personally like Debian better for other reasons, but I'm just saying dont bang on Fedora, its a damn good product.

Re:I would just like to say...

[TrombaMarina]

I booted up this evening, got the up2date Red Hat Network notice, installed the Rsync patch in about 30 seconds, then surfed around. An hour later, I was reading /.. When I returned to the home page, I saw this article had just been posted. I'm glad to hear Fedora is on top of these things since I'll have to switch to it in a few months.

Re:I would just like to say...

[sportal]

Maybe you should subscribe to the debian security mailing list.

They posted an alert this morning.

http://lists.debian.org/debian-security-announce/d ebian-security-announce-2003/msg00213.html [debian.org]

Since the update servers were offline due to the recent security hacks, they gave you a direct link to update.

Re:I would just like to say...

[Mr.Ned]

> I would have had no clue about this for about a 3
> days if i hadn't read slashdot and didn't have
> Fedora to alert me.

Why don't you subscribe to the Debian security announcement list? It is a very low-traffice list and you will get an e-mail as soon as an updated package is available.

By the way, for your interest, here are the times on the rsync e-mails to bugtraq today (in my time zone):

Slackware: 2:50AM
Debian: 11:09AM
SuSE: 12:14PM
Gentoo: 3:13PM
Connectiva: 3:46PM
Red Hat: 4:14PM

Re:I would just like to say...

[CentrX]

Of course, it is easy to use apt-get to discover security updates.

Debian Security Advisory

[Anonymous Coward]

[DSA 404-1] New rsync packages fix unauthorised remote code execution [debian.org]

Some history..

[cras]

Two months ago I found the problem [mail-archive.com] and gave a patch [mail-archive.com] to fix it. Looks like the bad guys were smarter than I thought and figured out a way to exploit it. Lesson: release fixes for even potential security holes immediately :)

Re:Some history..

[boots@work]

But I have been running rsync v.2.5.7 since BEFORE the gentoo rsync server was compromised.

Don't be ridiculous. There was no 2.5.7 release before the Gentoo compromise. I know because I was one of the team that responded to the intrusion and produced the patch. The machine was crashed on Tuesday and the patch came out on Thursday, about 36 hours later.

I suppose you're running kernel 2.7 as well?

Only affects Rsync servers

[Blue Booger]

(which is every open source mirror server out there, and many mirrors themselves)

No. This does not affect all the open source mirrors. It only affects rsync SERVERS. If you are not running rsync as a server, you are OK. If you are not accepting connections on 873 you are not running an rsync server. (Well, you could be, but you are probably running it over SSH, in which case you are still OK.)

RedHat RPMs for fix

[DDumitru]

RedHat has also released 2.5.7 RPMs for the fix.

When updating an older server (7.1, I think), the RH RPM failed with a GLIBC dependency. The updates for RH are identical for 7.1 - 9, so you might have a problem here.

My easiest workaround was to rebuild the rpm from source with:

Get the rsync-2.5.7-0.9.src.rpm from RedHat ftp server updates.redhat.com

Install the source rpm with:

rpm -ivh /tmp/rsync-2.5.7-0.9.src.rpm

Build a new complete, clean set of RPMs with:

cd /usr/src/redhat/SPECS
rpm -bb rsync.spec

The new installable binary for your current lib versions is in /usr/src/redhat/RPMS/i386, so you can install it with:

rpm -Fvh /usr/src/redhat/RPMS/i386/rsync-2.5.7-0.9.i386.rpm

---

For those that don't use rsync, this is easily one of the most useful utilities on the box. I particularily like "modules" mode over ssh. Setup an ssh key and have the key auto-run rynnc --daemon. You get modules and ssh. Really cool.

Advisory from the rsync team

[gfilion]

here the security advisory of rsync.samba.org:

rsync 2.5.6 security advisory
December 4th 2003

Background
The rsync team has received evidence that a vulnerability in rsync was
recently used in combination with a Linux kernel vulnerability to compromise
the security of a public rsync server. While the forensic evidence we have is
incomplete, we have pieced together the most likely way that this attack was
conducted and we are releasing this advisory as a result of our
investigations to date.

Our conclusions are that:

rsync version 2.5.6 and earlier contains a heap overflow vulnerability that
can be used to remotely run arbitrary code.
While this heap overflow vulnerability could not be used by itself to obtain
root access on a rsync server, it could be used in combination with the
recently announced brk vulnerability in the Linux kernel to produce a full
remote compromise.
The server that was compromised was using a non-default rsyncd.conf option
"use chroot = no". The use of this option made the attack on the compromised
server considerably easier. A successful attack is almost certainly still
possible without this option, but it would be much more difficult.
Please note that this vulnerability only affects the use of rsync as a "rsync
server". To see if you are running a rsync server you should use the netstat
command to see if you are listening on TCP port 873. If you are not listening
on TCP port 873 then you are not running a rsync server.

New rsync release
In response we have released a new version of rsync, version 2.5.7. This is
based on the current stable 2.5.6 release with only the changes necessary to
prevent this heap overflow vulnerability. There are no new features in this
release.

We recommend that anyone running a rsync server take the following steps:

Update to rsync version 2.5.7 immediately.
If you are running a Linux kernel prior to version 2.4.23 then you should
upgrade your kernel immediately. Note that some distribution vendors may have
patched versions of the 2.4.x series kernel that fix the brk vulnerability in
versions before 2.4.23. Check with your vendor security site to ensure that
you are not vulnerable to the brk problem.
Review your /etc/rsyncd.conf configuration file. If you are using the option
"use chroot = no" then remove that line or change it to "use chroot = yes".
If you find that you need that option for your rsync service then you should
disable your rsync service until you have discussed a workaround with the
rsync maintainers on the rsync mailing list. The disabling of the chroot
option should not be needed for any normal rsync server.
The patches and full source for rsync version 2.5.7 are available from http://
rsync.samba.org/ and mirror sites. We expect that vendors will produce
updated packages for their distributions shortly.

Credits
The rsync team would like to thank the following individuals for their
assistance in investigating this vulnerability and producing this response:

Timo Sirainen
Mike Warfield
Paul Russell
Andrea Barisani
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2003-0962 to this issue.

Regards,

The rsync team

Re:Advice for everybody:

[Anonymous Coward]

Also, patch every box which you root thanks to linux and rsync security problems.

Re:Eh?

[uncleFester]

Nobody runs rsync as a publicly accessible service anymore.

oh really?

i rsync my local copy of slacware-current from carroll.cac.psu.edu. probably half the listed servers on the slack mirrors list (many of which host many other projects besides slack) do rsync. gentoo uses rsync for portage. kernel.org supports rsync for kernel/patch transfers.. as does sourceforge.

me thinks thou should pull thine head out of thine ass before making such silly comments. for a number of read-only connections, rsync is still quite popular.

Re:Eh?

[Tester]

Nobody runs rsync as a publicly accessible service anymore.

You should notice that the Gentoo Portage tree is distributed through rsync to all users.

Re:Eh?

[cshields2]

You obviously don't understand how open source mirroring networks propagate their data. Ask the admin of your favorite mirror how he gets his stuff..

Re:Eh?

[keesh]

Well, Gentoo does, for one...

Re:HOWTO

[Old Wolf]

Actually you can combine steps 2 and 3, saving keystrokes:

tar xzvf

This has been possible in every OS (except windows) I've ever used (except for old versions of sunos)

You forgot step 0...

[Trejkaz]

0. Smoke crack.

Re:u must be a 133t linux user...

[JCholewa]

> the extra five seconds I spend clicking just kills me....

Right. Five seconds. Hah.

The Mandrake way:
$ su
# urpmi --auto --no-verify-rpm mozilla evolution kmail OpenOffice.Org pan knode celestia kopete

And bam, you've just installed a web browser, an office suite, three mail programs, three newsgroup clients, one universal messaging client and a really cool 3D space navigating program. If you wanted to, you could put a hundred application names on that single command line, and everything gets automag

Re:Rsync Protocol Was a Bad Idea

[prog-guru]

rsync is very good for incremental updates of large files, like backups, and big dns zone files (I learned about it when setting up a slave for a dns blacklist).

BitTorrent might be worth a try too, I don't think it does incremental but should be faster than scp or ftp.

Re:Rsync Protocol Was a Bad Idea

[ari_j]

You might want to try Unison [upenn.edu]. It's basically a bidirectional rsync. It's GPL, but it does a great job. Much more reliable (when run over ssh, at least) than rsync and less of a hassle to train users how to get their files synchronized. I even have it working successfully in an all-Windows environment, including setting file ownership right (rsync did not do that for me when run as a daemon; SYSTEM owned all the files).

Re:Rsync Protocol Was a Bad Idea

[evilviper]

rsync is very good for incremental updates of large files, like backups, and big dns zone files

That is entirely because of what the rsync application does on the client and server ends, and has nothing to do with it's network protocol at all. By all means, you could do the same thing (using the rsync application) over rsh/ssh.

Re:Rsync Protocol Was a Bad Idea

[timeOday]

What's the point of another network protocol, with more bugs to work out, and more security issues to be concerned with? Wonderful... More duplication of effort.

Incidentally. Does anyone know of a program similar to rsync that is under a less restrictive license than the GPL? It would be very useful.

So you think rsync is redundant and unnecessary, and you want to start a new fork of rsync? That makes a lot of sense.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

So you think rsync is redundant and unnecessary, and you want to start a new fork of rsync? That makes a lot of sense.

No, your reding comprhension skills need work.

I like rsync very much, although I'm a bit limited by it's lincense.

What I DO NOT LIKE, is the rsync protocol...

Re:Rsync Protocol Was a Bad Idea

[evilviper]

I realized that after I posted it. If you look at my other comments, you'll see my typing is reasonable accurate... But once in a while, something like this happens, and I have no explanation for why.

Anyhow, typographical errors are completely irrelevant to the point of my post, so I'm not greatly concerned.

Re:Rsync Protocol Was a Bad Idea

[timeOday]

It wasn't me who complained about your spelling (honest).

Re:Rsync Protocol Was a Bad Idea

[Qzukk]

What's the point of another network protocol

Unlike ssh, rsync daemon doesn't require a user on the host system. Unlike ftp or http, rsync updates by splitting files into blocks and updating changed blocks. Unlike scp, the config file can exclude/include certain files/paths/etc. without requiring the use of filesystem permissions. (it also has password protection).

Does anyone know of a program similar to rsync

Nah, there wasn't a point to it.

You forgot...

[benjamindees]

Unlike CVS, rsync works fine with binary files.

Re:You forgot...

[boots@work]

CVS does not do *deltas* of binary files. It stores and transmits the whole thing every time. Therefore you lose the main advantage of rsync, which is that the network transfer is roughly proportional to the edit distance between the old and new files.

On Ethernet it makes little difference. On ADSL or modem or between continents rsync is enormously faster than CVS.

When I'm fetching a big CVS tree, it can be faster to do the initial checkout on a well-connected machine in the US and then move it by rsyn

Re:Rsync Protocol Was a Bad Idea

[evilviper]

Unlike ssh, rsync daemon doesn't require a user on the host system.

I fail to see how that is a disadvantage at all... FTP also requires "a user on the host system", but I don't see any complaints about that.

Re:Rsync Protocol Was a Bad Idea

[BaldingByMicrosoft]

Well now... let me be the first, then! Having a real user account for FTP access is, in certain environments, a security risk.

Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

Having a real user account for FTP access is, in certain environments, a security risk.

Of course, if you're still using FTP for non-anonymous access instead of SCP/SFTP, I'd guess that security isn't one of your priorities.

NO, no, no. I was not talking about full-access accounts. I was, in fact, talking about anonymous access.

Re:Rsync Protocol Was a Bad Idea

[CheshireCat]

CVS and rsync are different applications with different uses.

CVS maintains a history of all revisions made to the files in the repository. It doesn't even have a means to synchronize clients without a versioned repository on the server, it relies on the server knowing all past revisions to determine which changes to send to the client.

Rsync works with plain files on the server, not RCS. if you *need* revision control, it's useless, but if you only want to be able to synchronize client files to match the files on the server, it's much better than CVS. The server saves space and complexity by not having to do revision control, and the client still gets the benfits of the server only needing to transmit the changed portions of files.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

CVS and rsync are different applications with different uses.

Yes they are. I never said otherwise... Merely that rsync should stick to using SSH for it's network connections, instead of inventing a new, redundant, protocol (and I just pointed to CVS as an example--rsync already does work over ssh).

Re:Rsync Protocol Was a Bad Idea

[CheshireCat]

I would say there are still uses for rsync server protocol. Setting up an account for secure, anonymous SSH access to rsync sounds like a nightmare to me.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

Setting up an account for secure, anonymous SSH access to rsync sounds like a nightmare to me.

Then you simply must not know SSH very well.

Re:Rsync Protocol Was a Bad Idea

[Zork the Almighty]

I don't know why they even invented an rsync protocol. - To efficiently synchronize a large amount of data over a slow connection. The algorithm is one of the fundamental gems of computing science, and I'm suprised you don't appreciate it.

Re:Rsync Protocol Was a Bad Idea

[evilviper]

To efficiently synchronize a large amount of data over a slow connection.

All of that is done by the APPLICATIONS on the client and server... The network protocol it just something to get the (significantly reduced) data from point to point. There isn't too much a network protocol can do to speed up the process.

Re:rsync Protocol Was a Bad Idea

[boots@work]

The network protocol it just something to get the (significantly reduced) data from point to point. There isn't too much a network protocol can do to speed up the process.

RTFM [samba.org], idiot.

There are several things that a new network protocol can do to make a transfer faster. For example, rsync is heavily pipelined in both directions, and removes common information from headers of consecutive files. Neither of those optimizations would be possible in FTP or HTTP.

rsync was for years the only major application that aggressively utilized full duplex TCP sockets, and found several bugs in Linux, BSD, and Solaris kernels by doing so. Again this is a protocol design decision that gets more mileage out of the connection than is possible in other ways.

Have you ever even looked at an HTTP dump? The hundreds of bytes it takes to send the headers can accomodate several whole rsync-compressed files.
A recursive update of a changed tree is typically several times quicker with rsync than with either CVS or FTP. Nothing against those protocols; they were just designed with different purposes in mind.

Now you can reasonably question whether the space saving really justifies having a new protocol. If you're not convinced, don't run it. Many people do find it worthwhile. If you are super security-conscious then you probably shouldn't be offering anonymous or unencrypted service at all.

YOU FAIL IT

[Zork the Almighty]

What a pathetic troll. You have to START with a relevant remark, and WORK TOWARDS your offtopic, inflammitory position. You got it completely backwards.

Re:So...

[Anonymous Coward]

It took the Debian developers over a *week* to find the cause of their servers being rooted, but Gentoo is able to accomplish the same in one day, *and* provide a fix?

It seems obvious where the real talent in the Linux community lies today.

In case you hadn't noticed, the Gentoo developers based their analysis on the Debian developers' work. The real talent in the Linux community lies in the community.

Re:And in other news...

[boots@work]

I realize you're trolling, but BSD is equally vulnerable.