Networker

Re: [Networker] recover command and security

2004-01-23 15:40:53
Subject: Re: [Networker] recover command and security
From: Scott Russell <lnxgeek AT US.IBM DOT COM>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Fri, 23 Jan 2004 15:39:07 -0500
On Fri, 2004-01-23 at 12:53, Joel Krajden wrote:
> Is there any way to prevent an ordinary user from recovering files that do not
> belong to the user. I thought this problem was fixed but I just used the linux
> 6.1.3 client to recover a file belonging to root which was restored as
> belonging to me.


Are you sure the user running recover:

1) Cannot read the file on the filesystem (unix permissions)
2) Is not defined as an admin in networker

>>From a legato 6.1.4 client on Red Hat 7.3 as a normal user:

[scottrus@ltcserv-eth scottrus]$ ls -al /etc/passwd /etc/shadow
-rw-r--r--    1 root     root         1869 Dec 16 12:54 /etc/passwd
-r--------    1 root     root         1805 Dec 16 12:54 /etc/shadow

recover: Current working directory is /home/scottrus/
recover> add /etc/passwd
/etc
1 file(s) marked for recovery
recover> add /etc/shadow
/etc
/etc/shadow: Permission denied
1 file(s) marked for recovery
recover> list
/etc/passwd @ Fri Jan 16 22:26:48 2004
1 file(s) marked for recovery

This shows that I can recover the /etc/passwd file, which makes sense
because the user 'scottrus' has read access to it on the file system
(unix perms). I cannot recover the /etc/shadow file becuase the user
'scottrus' cannot read it.

--
Scott Russell <lnxgeek AT us.ibm DOT com>
Linux Technology Center System Admin
http://ltc.linux.ibm.com/

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=