In the description of the -K
(--keep-dirlinks
) flag, the rsync
man page gives this warning (my emphasis):
One note of caution: if you use --keep-dirlinks, you must trust all the symlinks in the copy! If it is possible for an untrusted user to create their own symlink to any directory, the user could then (on a subsequent copy) replace the symlink with a real directory and affect the content of whatever directory the symlink references. For backup copies, you are better off using something like a bind mount instead of a symlink to modify your receiving hierarchy.
I've read the highlighted sentence several times, and I still cannot picture the exploit it refers to.
Could someone give a fleshed out example of the exploit? (Please include an explaination of how a "bind mount" avoids the problem.)
FWIW, this is my understanding of what the -K
option does.
For example, if the initial state is this:
sender:/path/to/sourcedir └── foo/ └── file receiver:/path/to/targetdir ├── bar/ │ └── stuff └── foo@ -> bar/
Then, after rsync sender:/path/to/sourcedir/ receiver:/path/to/targetdir
, the receiver will look like this:
receiver:/path/to/targetdir ├── bar/ │ └── stuff └── foo/ └── file
(Note that foo
is no longer a symlink.)
After rsync -K sender:/path/to/sourcedir/ receiver:/path/to/targetdir
, on the other hand, it will look like this:
receiver:/path/to/targetdir ├── bar/ │ ├── file │ └── stuff └── foo@ -> bar/