On Tue, Aug 26, 2003 at 10:34:49AM -0500, Chris Barnes wrote:
> The concern is that when a restore is run, the softlink to the /usr/bin
> directory will be recreated, then the file will be restored into that
> directory, overwriting the file that is supposed to be there (ie.
> creating a security issue).
> 
> 1) Is this possible, or does Amanda already do something to prevent
> this?

Chris,

Give your student worker a cookie (or a beer if they're old enough).
Though this isn't a new exploit technique, it sure looks to me like if
one:

    - Uses 'program "DUMP"'
    - Uses amrecover

Then your proposed exploit would work.  extract_files_child()
in extract_list.c just calls 'restore x', and I just tested that
ufsrestore (Solaris) will behave exactly as you describe.

If instead you run:

    amrestore | ufsrestore r

you're safe, though this is not so convenient for partial
restores.  :-)

I did not test from inside amrecover; if there is deep magic there
I am missing, I'd like to hear about it.  From an Amanda point of
view, this is an issue with 'program', not with Amanda, of course.

I did not test 'tar -xpG' (that's how amrecover calls GNU tar).

> 2) If it is possbile, are there any security considerations we need to
> take into consideration when running backups or restore jobs?

Yes.  :-)

I'm *really* glad I don't admin a student or ISP environment!
If I did, I would tripwire everything, I guess.

- 
Jay Lessert                               jay_lessert AT accelerant DOT net
Accelerant Networks Inc.                       (voice)1.503.439.3461
Beaverton OR, USA                                (fax)1.503.466.9472