Implement path sanitization (Parent Directory Accessible without Landlock)

[areon546]

Parent directory accessible under certain conditions. I don't know if this is a general issue or just a specific issue with how I set up the daemon. I am not experienced in this package, just tried some stuff for fun.

Running Ubuntu 25.04

Commands used:
localhost: gokr-rsync --daemon --gokr.listen=localhost:8730 --gokr.modulemap=files=/usr/share/asda/rsync/
localhost: rsync -v --archive --port 8730 rsync://localhost/files/../ adsa - standard rsync binary, see below:

user@device:~$ rsync --version 
rsync  version 3.4.1  protocol version 32
Copyright (C) 1996-2025 by Andrew Tridgell, Wayne Davison, and others.
Web site: https://rsync.samba.org/
[...]

Test log:

test@device:~$ gokr-rsync --daemon --gokr.listen=localhost:8730 --gokr.modulemap=files=/usr/share/asda/rsync/
2025/11/06 20:09:39 rsyncos.go:32: Main(osenv=&{0xc000078020 0xc000078028 0xc000078030 false 0xc0000bd230}, args=["gokr-rsync" "--daemon" "--gokr.listen=localhost:8730" "--gokr.modulemap=files=/usr/share/asda/rsync/"])
2025/11/06 20:09:39 rsyncos.go:32: config file not found, relying on flags
2025/11/06 20:09:39 rsyncos.go:32: gokrazy rsync, pid 2912991
2025/11/06 20:09:39 rsyncos.go:32: environment: unprivileged
2025/11/06 20:09:39 rsyncos.go:32: 1 rsync modules configured in total
2025/11/06 20:09:39 rsyncos.go:32: rsync module "files" with path /usr/share/asda/rsync/ configured
2025/11/06 20:09:39 setting up landlock ACL (paths ro: ["/usr/share/asda/rsync/"], paths rw: [])
2025/11/06 20:09:39 landlock verified: readdir(/sys) = open /sys: permission denied
2025/11/06 20:09:39 rsyncos.go:32: not using systemd socket activation, creating listener
2025/11/06 20:09:39 rsyncos.go:32: rsync daemon listening on rsync://127.0.0.1:8730
2025/11/06 20:09:45 rsyncd.go:574: remote connection from 127.0.0.1:36534
2025/11/06 20:09:45 rsyncd.go:217: client 127.0.0.1:36534 requested rsync module "files"
2025/11/06 20:09:45 rsyncd.go:239: client sent: "--server"
2025/11/06 20:09:45 rsyncd.go:239: client sent: "--sender"
2025/11/06 20:09:45 rsyncd.go:239: client sent: "-vlogDtpr"
2025/11/06 20:09:45 rsyncd.go:239: client sent: "."
2025/11/06 20:09:45 rsyncd.go:239: client sent: "files/../"
2025/11/06 20:09:45 rsyncd.go:239: client sent: ""
2025/11/06 20:09:45 rsyncd.go:246: flags: [--server --sender -vlogDtpr . files/../]
2025/11/06 20:09:45 rsyncd.go:270: remaining: ["." "files/../"]
2025/11/06 20:09:45 rsyncd.go:280: paths: ["files/../"]
2025/11/06 20:09:45 rsyncd.go:296: trimmed paths: ["/../"]
2025/11/06 20:09:45 rsyncd.go:545: exclusion list read (entries: 0)
2025/11/06 20:09:45 do.go:43: SendFileList(modPath="/usr/share/asda/rsync/", paths=["/../"])
2025/11/06 20:09:45 flist.go:334: sendFileList()
2025/11/06 20:09:45 flist.go:349:   path "/../" (local dir "/usr/share/asda/rsync/")
2025/11/06 20:09:45 flist.go:360:   filepath.Walk("/usr/share/asda"), strip="/usr/share/asda/"
2025/11/06 20:09:45 flist.go:361:   prefix=""
2025/11/06 20:09:45 flist.go:140: filepath.WalkFn(path=.)
2025/11/06 20:09:45 flist.go:155: Trim(path=".") = "."
2025/11/06 20:09:45 flist.go:140: filepath.WalkFn(path=rsync)
2025/11/06 20:09:45 flist.go:155: Trim(path="rsync") = "rsync"
2025/11/06 20:09:45 flist.go:140: filepath.WalkFn(path=rsync/asdas)
2025/11/06 20:09:45 flist.go:155: Trim(path="rsync/asdas") = "rsync/asdas"
2025/11/06 20:09:45 flist.go:140: filepath.WalkFn(path=rsync/asdasda)
2025/11/06 20:09:45 flist.go:155: Trim(path="rsync/asdasda") = "rsync/asdasda"
2025/11/06 20:09:45 do.go:51: file list sent
2025/11/06 20:09:45 do.go:70: reading final int32
2025/11/06 20:09:45 rsyncd.go:552: handleConnSender done. stats: &{Read:104 Written:217 Size:8192}

Rather concerned it can read the parent (/usr/share/asda/*). Can also read the grandparent (/usr/share/*), however there is a client side error if trying any directory higher up. Note, the daemon still runs the check and wastes a bunch of time walking the path, wasting server resources. There just occurs a client side error when using the /usr/bin/rsync. See below.

user@device:~$ rsync -v --archive --port 8730 rsync://localhost/files/../../../
receiving file list ... 
unexpected tag 93 [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(1705) [Receiver=3.4.1]

Unrelated, but interestingly, given rsync -v --archive --port 8730 rsync://localhost/files/../../ and rsync -v --archive --port 8730 rsync://localhost/files/../.., the former works whilst the latter fails.

user@device:~$ rsync -v --archive --port 8730 rsync://localhost/files/../..
receiving file list ... 
ERROR: rejecting unrequested file-list name: share
rsync error: requested action not supported (code 4) at flist.c(1000) [Receiver=3.4.1]

[stapelberg]

Hey @areon546, thanks for filing this report.

I have a guest this weekend, so I hope to take a closer look next week.

I was wondering why landlock doesn’t prevent such access, and it turns out that /usr/share is a special case because /usr is available to the rsync process (and subprocesses) so that ssh works:

rsync/internal/restrict/restrict_linux.go

Line 37 in a2eff58

"/usr", // for running ssh(1)

[areon546]

Just a reminder as I know life gets busy. I can make an attempt at dealing with it between my studies however I don't know the codebase very well so I expect I would do something weirdly.
Best, Areon546

[stapelberg]

Just had a chance to take a closer look.

tridge rsync prevents this via util.c:sanitize_path. rsync 2.6.2 contains a version contributed by Dave Dykstra, later versions such as 3.2.3 contain a slightly modified version.

The function is called via glob_expand, which in turn is called from rsync_module. The closest equivalent in gokrazy/rsync is rsyncd.go:HandleDaemonConn, where we currently just read the path components without sanitizing them.

AFAICT, the Go standard library does not contain such sanitization (e.g. filepath.Clean does not remove leading ../ from a path), so we’ll probably need to port this algorithm, or (if it turns out cleaner) a compatible algorithm using Go’s string manipulation.

Given that path sanitization is only required when chroot mode is off, and gokrazy/rsync can be used with Linux landlock, which amounts to chroot mode, I don’t think this is high priority. As explained before, /usr/share is a special case because /usr must be allowlisted. Place your files somewhere else, e.g. /srv.

[stapelberg]

FYI, I was auditing correct usage of the *os.Root type (see https://go.dev/blog/osroot) and noticed that the sender did not correctly use *os.Root. With commit 4544463, the traversal you ran into should be prevented not only by landlock, but also by *os.Root.

[stapelberg]

…and commit 4f71665 removes /usr from the landlock policy, so now both os.Root and Landlock should be effective in this situation.