> Could attacker X on remoteserver alter the rsync binary in such a way > so it can traverse and change or read arbitrary files on localserver? > Does running above command execute remote code or give remoteserver > any kind of system access to localserver (does the ssh tunnel work both ways???) > or is it "pumping" data through a dumb pipe just like for example rsync > over a samba share would and leaving all control to local? You are wise to ask this question! The remote server can change arbitrary files on the local server by sending a symlink and then using paths that go through the symlink. The current development rsync has a --munge-links option to prevent that. Unfortunately, that option is not available in the 3.0.x branch at this time.