git.ipfire.org Git - thirdparty/rsync.git/commit

author	Andrew Tridgell <andrew@tridgell.net>
	Mon, 4 May 2026 11:53:14 +0000 (21:53 +1000)
committer	Andrew Tridgell <andrew@tridgell.net>
	Wed, 20 May 2026 00:01:22 +0000 (10:01 +1000)
commit	862fe4eeaf82178324c66e504bf2c6c2e4038f99
tree	73df41871f39a2702712f2e010fb1294ad0271e1	tree \| snapshot
parent	859d44fa4f1420775e4ba050337ef32092f2894c	commit \| diff

syscall+receiver: secure receiver-side do_chmod against symlink-race TOCTOU

CVE-2026-29518's fix routed the receiver's open() through
secure_relative_open(), but every other path-based syscall the
receiver runs on sender-controllable paths is vulnerable to the
same TOCTOU primitive. This commit closes the chmod variant.

Add do_chmod_at() that opens the parent of fname under
secure_relative_open() and uses fchmodat() against the resulting
dirfd. Gate the secure path on am_daemon && !am_chrooted (the same
gate use_secure_symlinks already uses for the receiver basis-file
open), so non-daemon callers and chrooted daemons keep the original
do_chmod() fast path.

Migrate the receiver-side do_chmod() call sites in delete.c,
generator.c, rsync.c, and xattrs.c.

Adds testsuite/chmod-symlink-race.test (with t_chmod_secure helper)
as regression coverage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Makefile.in		diff \| blob \| blame \| history
delete.c		diff \| blob \| blame \| history
generator.c		diff \| blob \| blame \| history
rsync.c		diff \| blob \| blame \| history
runtests.py		diff \| blob \| blame \| history
syscall.c		diff \| blob \| blame \| history
t_chmod_secure.c	[new file with mode: 0644]	blob
t_stub.c		diff \| blob \| blame \| history
testsuite/chmod-symlink-race.test	[new file with mode: 0755]	blob
xattrs.c		diff \| blob \| blame \| history