Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: maybe this is a dumb question

2003-08-27 13:37:27
Subject: RE: maybe this is a dumb question
From: "Jeremy L. Mordkoff" <jlm AT TataraSystems DOT com>
To: "Jay Lessert" <jayl AT accelerant DOT net>, "Chris Barnes" <chris-barnes AT tamu DOT edu>
Date: Wed, 27 Aug 2003 13:33:01 -0400 
My policy is to never restore files in place. I always restore to a
temporary location and ask the owner to copy the file into place. That
avoids any stickiness. I remember a case where someone asked to have a
file restored, but it was only to do a diff. The restore was done "in
place", so afterwards they had the old file, but the new file was gone,
which was not an improvement. So this policy protects against stupidity
and malice.


JLM


Jeremy Mordkoff
Tatara Systems
978-206-0808 (direct)
978-206-0888 (fax)
 
injustice anywhere threatens justice everywhere -- Dr. Martin Luther
King

-----Original Message-----
From: Jay Lessert [mailto:jayl AT accelerant DOT net] 
Sent: Tuesday, August 26, 2003 1:15 PM
To: Chris Barnes
Cc: amanda-users AT amanda DOT org
Subject: Re: maybe this is a dumb question

On Tue, Aug 26, 2003 at 10:34:49AM -0500, Chris Barnes wrote:
> The concern is that when a restore is run, the softlink to the
/usr/bin
> directory will be recreated, then the file will be restored into that
> directory, overwriting the file that is supposed to be there (ie.
> creating a security issue).
> 
> 1) Is this possible, or does Amanda already do something to prevent
> this?

Chris,

Give your student worker a cookie (or a beer if they're old enough).
Though this isn't a new exploit technique, it sure looks to me like if
one:

    - Uses 'program "DUMP"'
    - Uses amrecover

Then your proposed exploit would work.  extract_files_child()
in extract_list.c just calls 'restore x', and I just tested that
ufsrestore (Solaris) will behave exactly as you describe.

If instead you run:

    amrestore | ufsrestore r

you're safe, though this is not so convenient for partial
restores.  :-)

I did not test from inside amrecover; if there is deep magic there
I am missing, I'd like to hear about it.  From an Amanda point of
view, this is an issue with 'program', not with Amanda, of course.

I did not test 'tar -xpG' (that's how amrecover calls GNU tar).

> 2) If it is possbile, are there any security considerations we need to
> take into consideration when running backups or restore jobs?

Yes.  :-)

I'm *really* glad I don't admin a student or ISP environment!
If I did, I would tripwire everything, I guess.

- 
Jay Lessert                               jay_lessert AT accelerant DOT net
Accelerant Networks Inc.                       (voice)1.503.439.3461
Beaverton OR, USA                                (fax)1.503.466.9472
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Spam is getting old..., Mitch Collinsworth
Next by Date:  Re: maybe this is a dumb question, Jay Lessert
Previous by Thread:  Re: maybe this is a dumb question, Jay Lessert
Next by Thread:  Re: maybe this is a dumb question, Jay Lessert
Indexes:  [Date] [Thread] [Top] [All Lists]