Networker

Re: [Networker] recover command and security

2004-01-23 19:01:54
Subject: Re: [Networker] recover command and security
From: George Sinclair <George.Sinclair AT NOAA DOT GOV>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Fri, 23 Jan 2004 19:02:22 -0500
A simple solution to this problem would be to have the program
authenticate the user by first attempting to open a file that only root
could read, thereby ensuring that the program was indeed launched by
root user. This is more thorough than merely checking the UID of the
process (can be fooled) and passing this to the server. I'm really
surprised that Legato still hasn't managed to solve such a simple
problem (sigh).

How does 7.x handle this?

Tim Mooney wrote:
>
> In regard to: [Networker] recover command and security, Joel Krajden said...:
>
> >Is there any way to prevent an ordinary user from recovering files that do 
> >not
> >belong to the user. I thought this problem was fixed but I just used the 
> >linux
> >6.1.3 client to recover a file belonging to root which was restored as
> >belonging to me.
>
> Not with 6.1.x.  In fact, on many systems it's nearly impossible to prevent
> a determined user from recovering files that they should have no access to,
> especially since a `recover' binary could be extracted from any of the
> downloadable packages on Legato's web site.
>
> Tim
> --
> Tim Mooney                              mooney AT dogbert.cc.ndsu.NoDak DOT 
> edu
> Information Technology Services         (701) 231-1076 (Voice)
> Room 242-J6, IACC Building              (701) 231-8541 (Fax)
> North Dakota State University, Fargo, ND 58105-5164
>
> --
> Note: To sign off this list, send a "signoff networker" command via email
> to listserv AT listmail.temple DOT edu or visit the list's Web site at
> http://listmail.temple.edu/archives/networker.html where you can
> also view and post messages to the list.
> =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=