Re: [Networker] recover command and security
2004-01-23 16:33:44
Yes the files were world readable. I would still like the possibilty of
preventing users from recovering files that do not belong to them. I changed
the permissions to 750 for recover, save and nwrecover. This also has the
benefit of preventing a DOS on our autochanger.
Thanks,
Joel
Scott Russell wrote:
On Fri, 2004-01-23 at 12:53, Joel Krajden wrote:
Is there any way to prevent an ordinary user from recovering files that do not
belong to the user. I thought this problem was fixed but I just used the linux
6.1.3 client to recover a file belonging to root which was restored as
belonging to me.
Are you sure the user running recover:
1) Cannot read the file on the filesystem (unix permissions)
2) Is not defined as an admin in networker
From a legato 6.1.4 client on Red Hat 7.3 as a normal user:
[scottrus@ltcserv-eth scottrus]$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 1869 Dec 16 12:54 /etc/passwd
-r-------- 1 root root 1805 Dec 16 12:54 /etc/shadow
recover: Current working directory is /home/scottrus/
recover> add /etc/passwd
/etc
1 file(s) marked for recovery
recover> add /etc/shadow
/etc
/etc/shadow: Permission denied
1 file(s) marked for recovery
recover> list
/etc/passwd @ Fri Jan 16 22:26:48 2004
1 file(s) marked for recovery
This shows that I can recover the /etc/passwd file, which makes sense
because the user 'scottrus' has read access to it on the file system
(unix perms). I cannot recover the /etc/shadow file becuase the user
'scottrus' cannot read it.
--
Scott Russell <lnxgeek AT us.ibm DOT com>
Linux Technology Center System Admin
http://ltc.linux.ibm.com/
--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
--
| Joel Krajden | Rm: LB-915, Tel: 514 848-2424 3052 |
| | Fax: 514 848-2830 |
| Senior Systems Analyst | Email: joelk AT cs.concordia DOT ca
|
| Dept. of Computer Science | http://www.cs.concordia.ca/~staffcs/joelk |
| Concordia University | Remember it's a circus and the clowns |
| Montreal, Canada | are supposed to make you laugh, not cry. |
--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
|
|
|