On Tue, Aug 26, 2003 at 10:34:49AM -0500, Chris Barnes wrote:
> The concern is that when a restore is run, the softlink to the /usr/bin
> directory will be recreated, then the file will be restored into that
> directory, overwriting the file that is supposed to be there (ie.
> creating a security issue).
>
> 1) Is this possible, or does Amanda already do something to prevent
> this?
Chris,
Give your student worker a cookie (or a beer if they're old enough).
Though this isn't a new exploit technique, it sure looks to me like if
one:
- Uses 'program "DUMP"'
- Uses amrecover
Then your proposed exploit would work. extract_files_child()
in extract_list.c just calls 'restore x', and I just tested that
ufsrestore (Solaris) will behave exactly as you describe.
If instead you run:
amrestore | ufsrestore r
you're safe, though this is not so convenient for partial
restores. :-)
I did not test from inside amrecover; if there is deep magic there
I am missing, I'd like to hear about it. From an Amanda point of
view, this is an issue with 'program', not with Amanda, of course.
I did not test 'tar -xpG' (that's how amrecover calls GNU tar).
> 2) If it is possbile, are there any security considerations we need to
> take into consideration when running backups or restore jobs?
Yes. :-)
I'm *really* glad I don't admin a student or ISP environment!
If I did, I would tripwire everything, I guess.
-
Jay Lessert jay_lessert AT accelerant DOT net
Accelerant Networks Inc. (voice)1.503.439.3461
Beaverton OR, USA (fax)1.503.466.9472
|