--On Friday, May 23, 2003 03:10:42 +0930 Richard Russell <richard AT yellowgoanna 
DOT com> wrote:

<snip>

Of course, restricting them to their own home directory is easier said
than done. I do think it's possible, and I think the way to do this
would be to forbid ".." in the directory path, and to always maintain
the prefix you want. I'd appreciate it if someone could show how this
would result in a security problem (assume for a moment that I code the
interface correctly, and there are no exploits .... big assumption, I
know, but one that needs to be made for this to make sense)...

There are almost always exploits.  Don't forget to check for variations
of .. such as %2e%2e.
  If you are looking for the ability for users to be able to self-restore,
consider a snapshot filesystem for their home directories (either one done
in hardware (e.g. Network Appliance filers), built into the OS (like Solaris'
fssnap utility) or homegrown (using various free scripts based on rsync, etc.).
Any of those would give users the ability to instantly restore old files,
although possibly not being able to go as far back in time as your tapes.
  One other problem you will quickly run up against is contention for the
tape drive. Since a restore can take quite awhile, depending on the speed
of your tape and how many tapes are involved in the restore, the odds are
good that the users will step on each other and/or your amchecks and amdumps,
and if you don't have a library you will be very busy shuffling tapes.
There are also optimization issues if, for example, two people need files
restored from yesterday.  If you were doing it manually you could restore
both at the same time, but if it were user driven the tape(s) would need
to be read twice.

Frank


--
Frank Smith                                             fsmith AT hoovers DOT 
com
Systems Administrator                                  Voice: 512-374-4673
Hoover's Online                                          Fax: 512-374-4501