Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: maybe this is a dumb question

2003-08-28 12:17:25
Subject: Re: maybe this is a dumb question
From: Jon LaBadie <jon AT jgcomp DOT com>
To: amanda-users AT amanda DOT org
Date: Thu, 28 Aug 2003 12:09:22 -0400 
I missed the first couple of articles on this thread
so I don't have them to quote, sorry.  I read them
on the archive at yahoo though.  I expectantly await
J. Fennalson's investigation.  May even try my own
emperical testing.

Here are the two thoughts I had when reading Chris'
original posting.

1. There has been a discussion in the past that restores
to the original location will even remove existing files
because the restoration/recovery is to the state as of a
specific date.  So if on day 1 (a level 0) the file existed
but on day 2 (an incremental) it did not, a restore to
day 2's date would first put the file there, then (from the
level 0 tape) then remove it because of the incremental.

That discussion arose because some amanda user, in my above
scenario, manually recreated the file on day 3, only to find
it removed by the recovery process.  An action they felt was
incorrect.

I think the recovery may affect the properties of files as
well as existance.  So the permissions would be changed to
those that existed as of the date specified in the recovery.

Maybe even file types??

In Chris' (and the student's) scenario, if all the above is
correct then it seems to me that
  a) if the recovery date was day 1, just the soft linke would
     be recovered - no problem
  b) if the recovery date was day 2, the soft link would be
     converted to a directory (as it was on day 2) and the
     files placed in there, not /usr/bin.

Time to read code and test :)

2. Supposing the worst, the /usr/bin/passwd file would be trashed,
a bad event in itself.  But for the specific example it would not
be a further security breach for attacks on the password file as
the ownership and permissions would also be set to those existing
at the backup time.  Namely, owned by the user, not root, and
setuid'ed to the user, not root.  Those permissions would not let
anyone change their password (hopefully).

Ahh, but what if the users also did the same exploit (assuming it
works) for the /etc/password and shadow files.  Whoops, can't copy
the shadow file, but it a mimic'ing copy could be hand-crafted.

Then, if the exploit worked, the user would own the password and
shadow files and have installed a program that could change them.


  Security, nasty stuff, but someone told me I have to do it :)

BTW I, like others, only recover/restore to an empty space and copy
what I want to the actual location after examining it.  Except once
recently when I wanted an entire FS recovered to a newly created
(thus fresh and empty) partiton.

-- 
Jon H. LaBadie                  jon AT jgcomp DOT com
 JG Computing
 4455 Province Line Road        (609) 252-0159
 Princeton, NJ  08540-4322      (609) 683-7220 (fax)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: sendbackup: stream_accept: timeout after 30 seconds, Super-User
Next by Date:  TAYLOR, taylor_jr
Previous by Thread:  Re: maybe this is a dumb question, Chris Barnes
Next by Thread:  Help with amdump, Viaris
Indexes:  [Date] [Thread] [Top] [All Lists]