Networker

Re: [Networker] recover command and security

2004-01-23 19:20:44
Subject: Re: [Networker] recover command and security
From: Tim Mooney <mooney AT DOGBERT.CC.NDSU.NODAK DOT EDU>
To: NETWORKER AT LISTMAIL.TEMPLE DOT EDU
Date: Fri, 23 Jan 2004 18:20:38 -0600
In regard to: Re: [Networker] recover command and security, Scott Russell...:

>> Not with 6.1.x.  In fact, on many systems it's nearly impossible to prevent
>> a determined user from recovering files that they should have no access to,
>> especially since a `recover' binary could be extracted from any of the
>> downloadable packages on Legato's web site.
>
>Can you educate me a bit on this? I posted a previous example to this
>thread showing a 6.1.4 client on Linux not allowing the recovery of a
>file the user did not have read access to.
>
>How does 6.1.x Networker let a user recover a file that they don't
>already have permission to read on the file system? A working example
>would be nice to see.
>
>If the user has read access to the file on the file system Networkers
>ability to let that user recover the file off tape seems kind of
>pointless.

Scott-

I don't want spell it out too clearly on the list since it's essentially
trivial to do.  Sketching the problem:

- the NetWorker server relies on the client `recover' to tell it who is
  running the `recover' program.  It uses that information to decide what
  they can browse and recover.

- On UNIX systems, `root' generally can browse and recover anything.

- using a symbol replacement trick supported by the loader on many common
  UNIX platforms, it's possible to get non-setuid binaries to use a
  modified version of any system call.

- with about 3-5 lines of C code, loader knowledge, and shared library
  knowledge for a particular platform, it's trivial to trick recover into
  thinking it's being run by root.

- once recover says "it's root that's running me", the Legato server will
  let you browse and recover any file.

If you need me to be more specific, email me off list.

Tim
--
Tim Mooney                              mooney AT dogbert.cc.ndsu.NoDak DOT edu
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

<Prev in Thread] Current Thread [Next in Thread>