Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: using Netcat as a wrapper on solaris

2002-08-08 13:41:56
Subject: Re: using Netcat as a wrapper on solaris
From: Gene Heskett <gene_heskett AT iolinc DOT net>
To: aread AT localnet DOT com, amanda-users AT amanda DOT org
Date: Thu, 8 Aug 2002 13:26:30 -0400 
On Thursday 08 August 2002 11:34, Adam D. Read wrote:
>Hello,
>In an effort to secure our servers, we do not run inetd at all,
> instead using tcpserver as a wrapper for our TCP services.  Since
> amandad is a UDP based service, netcat is the option of choice,
> having it exec amandad upon connection(run through daemontools). 
> This works well on a linux box, but my first solaris box I
> started on is giving me trouble. I am running  SunOS 5.8 and have
> the newest stable amanda and netcat.  I tested netcat w/ bash and
> it exec'd the shell perfectly through the UDP connection.  Is
> there a way to test amandad to make sure it is functioning at
> all?  It exits as soon as anything is sent to it through netcat.

1. That so-called security aspect is why RH converted to xinetd as 
that gives quite a bit more control over who can and can't run 
these services.  They in fact don't run until somebody with 
authorization to run them asks for them.  They're not even loaded 
unless they are still sitting there from the last time.

2. Amanda won't run when launched by a root user.  Another security 
measure I'm told.

3.  So far, since RH7.0, I've had zilch problems running amanda 
through the services of xinetd.

So I'd be not terribly worried about some xinetd controlled service 
falling into the wrong hands, at least until we've had the first 
report that someone used it to gain access they weren't privildged 
for.  That may have happened, but I'd think this list would be the 
first to hear about it and we haven't heard a peep about that.

Now assuming you've compiled amanda so the owner:group is 
amanda:disk, this file copied into your /etc/xinetd.d directory as 
'amanda', and edited to fix the paths for your situation, should 
make it work.  These are the default paths FWIW.
-------------------------------------------
# default = off
#
# description: Part of the Amanda server package
# This is the list of daemons & such it needs
service amanda
{
        disable = no
        socket_type     = dgram
        protocol        = udp
        wait            = yes
        user            = amanda
        group           = disk
        groups          = yes
        server          = /usr/local/libexec/amandad
}
service amandaidx
{
        disable = no
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = amanda
        group           = disk
        groups          = yes
        server          = /usr/local/libexec/amindexd
}
service amidxtape
{
        disable = no
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = amanda
        group           = disk
        groups          = yes
        server          = /usr/local/libexec/amidxtaped
}
-----------------------------------------------

Amanda can also use the file /home/her-user-name/.amandahosts as an 
additional level of control as to who can run her.  See the docs 
for setting that up.

-- 
Cheers, Gene
AMD K6-III@500mhz 320M
Athlon1600XP@1400mhz  512M
99.10% setiathome rank, not too shabby for a WV hillbilly
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Help with amanda client on SCO 5.0.5...Please, Chris Tusa
Next by Date:  Re: Help with amanda client on SCO 5.0.5...Please, Chris Tusa
Previous by Thread:  using Netcat as a wrapper on solaris, Adam D. Read
Next by Thread:  Re: using Netcat as a wrapper on solaris, Adam D. Read
Indexes:  [Date] [Thread] [Top] [All Lists]