Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: maybe this is a dumb question

2003-08-26 12:17:50
Subject: Re: maybe this is a dumb question
From: Jay Fenlason <fenlason AT redhat DOT com>
To: Chris Barnes <chris-barnes AT tamu DOT edu>
Date: Tue, 26 Aug 2003 12:08:50 -0400 
On Tue, Aug 26, 2003 at 10:34:49AM -0500, Chris Barnes wrote:
> One of my student workers - who happens to be setting up Amanda,
> recently came to me with a concern about how the backup/restore process
> handles soft links.   I suspect that this is a non-issue in that Amanda
> has already figured out a way to deal with this, but just in case...
> 
> Let's say a user creates a soft link in their home directory that points
> to
> /usr/bin, eg:
> 
> lrwxrwxrwx  1 cbarnes  barnes   15 July  1 13:35 mybin -> /usr/bin/
> 
> Then the backups of the home are run.
> 
> Then the user removes the softlink and creates a real directory with
> that same name.
> 
> drwxr-xr-x  2 cbarnes  barnes 4096 Aug 18 17:23 mybin
> 
> and then puts a modified program into that directory:
> 
> drwxr-xr-x    2 cbarnes  barnes       4096 Aug 18 17:23 ./
> drwxr-xr-x   13 cbarnes  cbarnes      4096 Aug 25 17:31 ../
> -r-s--x--x    1 cbarnes  barnes       7667 Aug 18 17:26 passwd*
> 
> and backups are run again.
> 
> 
> The concern is that when a restore is run, the softlink to the /usr/bin
> directory will be recreated, then the file will be restored into that
> directory, overwriting the file that is supposed to be there (ie.
> creating a security issue).
> 
> 
> 1) Is this possible, or does Amanada already do something to prevent
> this?
> 2) If it is possbile, are there any security considerations we need to
> take into consideration when running backups or restore jobs?

Amanda doesn't do anything about this--it just calls the underlying
backup mechanism (guntar or dump) to do the dirty work.  It's up to
the underlying backup mechanism to handle this.  So the right people
to be asking a question like this are the gnutar maintainers or the
dump maintainers.

It's been too long since I wrote gnutar for me to remember how it
handles cases like this.  You should ask a more current maintainer.

A similar attack would be to have a directory "mybin" containing a file
"passwd" before a dump is done.  Then replace "mybin" with a symbolic
link to "/bin" and request a restore of "mybin/passwd".

I'll check out both of these scenerios and report back on what I find.

                        -- JF
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Infected E-Mail, qmvc
Next by Date:  Help with amdump, Viaris
Previous by Thread:  maybe this is a dumb question, Chris Barnes
Next by Thread:  Re: maybe this is a dumb question, Jay Lessert
Indexes:  [Date] [Thread] [Top] [All Lists]