Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to restore correct ownerships?

2004-11-22 05:18:45
Subject: Re: How to restore correct ownerships?
From: Paul Bijnens <paul.bijnens AT xplanation DOT com>
To: Thorsten Bremer <lists-read AT thoddi DOT de>
Date: Mon, 22 Nov 2004 10:58:06 +0100 
Thorsten Bremer wrote:


Yes, I know that Amanda setuid'ed himself to run some tasks with
higher privileges. But why he didn't setuid also while restore short
before the chown? 

I have indeed been thinking about such a possibility.
It could be implemented to use the suid-program runtar by amrecover.
(When using the bare "amrestore", or dd+tar you're assumed to Know
What You're Doing, and can limit the root access to the actual
extraction).
Still thinking of the consequences...  (It actually means that
the amanda user is equivalent to root: she can replace any file
with any content she wants, including /etc/shadow.)



When restoring as root, I had to enter a "<hostname> root"-line to the
amandahosts-file. Until now there only must be a "<hostname>
backup"-line for normal backup-tasks, because he uses setuid. Could'nt
this new root-entry be a security-hole now?


That depends on the people who have root access to that amanda-client.
If other people than me and my collegue have root access on a server,
I uncomment such a line in .amandahosts on the server, run amrecover,
and then comment it again.
Otherwise any root-person on that amanda-client can restore anything
they want from *any* client (you still have to insert a tape, probably
manually, but access to holdingdiskfiles and access to the
tape-to-be-overwritten-this-night is possible).


--
Paul Bijnens, Xplanation                            Tel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM    Fax  +32 16 397.512
http://www.xplanation.com/          email:  Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...    *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out          *
***********************************************************************
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  processing for maxdumps settings, Sven Rudolph
Next by Date:  Problems with amrecover, no error messages, Sylvia Gelman
Previous by Thread:  Re: How to restore correct ownerships?, Thorsten Bremer
Next by Thread:  Re: How to restore correct ownerships?, Jon LaBadie
Indexes:  [Date] [Thread] [Top] [All Lists]