Mailinglist Archive: opensuse-security (556 mails)
| < Previous | Next > |
Re: [suse-security] automatic backups over ssh/scp
- From: Steffen Dettmer <steffen@xxxxxxx>
- Date: Sat, 1 Sep 2001 16:43:46 +0200
- Message-id: <20010901164345.B2075@xxxxxxxxx>
* Kurt Seifried wrote on Fri, Aug 31, 2001 at 15:36 -0600:
> Yes rsync needs to run as root on the server, to set file perms/etc, this
> can be somewhat mitigated by chroot'ing it (probably will be ok, but chroot
> can be broken out of by root, so some buffer overflow in rsync with a
> hostile client might be bad news).
Yep. And in fact root permissions of the whole service are _not_
required.
> Basically any backup software will have
> to run as root to set file perms, setuid/setgid bits, yadayada (kernel
> capabilities and whatnot aside).
It would be possible to have a small permission correction
process, which would be more simple code - because of that not
that risky. Second, it would be possible to put the permissions
in some special file (TRANS.TBL or the one used when doing
umsdos). This file could be used on restore operations or used by
some correction process. More safe.
> Hopefully that software was built with this
> in mind and supports some nice controls (like only write/read files in
> /foo/backups/*).
Well, once I overwrote local /etc/ with a buggy rsync-backup
script. Well, luckyly the local backup of /etc/ was done first
and correct :) But this shows the dangers.
When useing tar cf - | ssh > cat backup.tar only on one side (and
this is the read-only side) are required. No
network-root-connections and nothing. Even a buggy ssh wrapper
has only backup-user permissions. And hacker could read/steal the
backups (which is very bad, too, but) not compromise systems or
manipulate data.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
> Yes rsync needs to run as root on the server, to set file perms/etc, this
> can be somewhat mitigated by chroot'ing it (probably will be ok, but chroot
> can be broken out of by root, so some buffer overflow in rsync with a
> hostile client might be bad news).
Yep. And in fact root permissions of the whole service are _not_
required.
> Basically any backup software will have
> to run as root to set file perms, setuid/setgid bits, yadayada (kernel
> capabilities and whatnot aside).
It would be possible to have a small permission correction
process, which would be more simple code - because of that not
that risky. Second, it would be possible to put the permissions
in some special file (TRANS.TBL or the one used when doing
umsdos). This file could be used on restore operations or used by
some correction process. More safe.
> Hopefully that software was built with this
> in mind and supports some nice controls (like only write/read files in
> /foo/backups/*).
Well, once I overwrote local /etc/ with a buggy rsync-backup
script. Well, luckyly the local backup of /etc/ was done first
and correct :) But this shows the dangers.
When useing tar cf - | ssh > cat backup.tar only on one side (and
this is the read-only side) are required. No
network-root-connections and nothing. Even a buggy ssh wrapper
has only backup-user permissions. And hacker could read/steal the
backups (which is very bad, too, but) not compromise systems or
manipulate data.
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
| < Previous | Next > |