Networker

Re: [Networker] recover command and security

2004-01-23 16:33:44
Subject: Re: [Networker] recover command and security
From: Joel Krajden <joelk AT CS.CONCORDIA DOT CA>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Fri, 23 Jan 2004 16:33:38 -0500
Yes the files were world readable. I would still like the possibilty of
preventing users from recovering files that do not belong to them. I changed
the permissions to 750 for recover, save and nwrecover. This also has the
benefit of preventing a DOS on our autochanger.


Thanks,
Joel

Scott Russell wrote:
On Fri, 2004-01-23 at 12:53, Joel Krajden wrote:

Is there any way to prevent an ordinary user from recovering files that do not
belong to the user. I thought this problem was fixed but I just used the linux
6.1.3 client to recover a file belonging to root which was restored as
belonging to me.



Are you sure the user running recover:

1) Cannot read the file on the filesystem (unix permissions)
2) Is not defined as an admin in networker

From a legato 6.1.4 client on Red Hat 7.3 as a normal user:

[scottrus@ltcserv-eth scottrus]$ ls -al /etc/passwd /etc/shadow
-rw-r--r--    1 root     root         1869 Dec 16 12:54 /etc/passwd
-r--------    1 root     root         1805 Dec 16 12:54 /etc/shadow

recover: Current working directory is /home/scottrus/
recover> add /etc/passwd
/etc
1 file(s) marked for recovery
recover> add /etc/shadow
/etc
/etc/shadow: Permission denied
1 file(s) marked for recovery
recover> list
/etc/passwd @ Fri Jan 16 22:26:48 2004
1 file(s) marked for recovery

This shows that I can recover the /etc/passwd file, which makes sense
because the user 'scottrus' has read access to it on the file system
(unix perms). I cannot recover the /etc/shadow file becuase the user
'scottrus' cannot read it.

--
Scott Russell <lnxgeek AT us.ibm DOT com>
Linux Technology Center System Admin
http://ltc.linux.ibm.com/

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=


--
| Joel Krajden              | Rm: LB-915,  Tel: 514 848-2424 3052         |
|                           | Fax: 514 848-2830                           |
| Senior Systems Analyst    | Email: joelk AT cs.concordia DOT ca               
 |
| Dept. of Computer Science | http://www.cs.concordia.ca/~staffcs/joelk   |
| Concordia University      |   Remember it's a circus and the clowns     |
| Montreal, Canada          |   are supposed to make you laugh, not cry.  |

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=