Date: Sun, 09 Feb 1997 09:45:40 +0100 From: Eivind Eklund <eivind@dimaga.com> To: Bruce Evans <bde@zeta.org.au> Cc: current@freebsd.org, hackers@freebsd.org Subject: Re: Proposed change to dump/restore Message-ID: <3.0.32.19970209094538.00bb6cd0@dimaga.com>
next in thread | raw e-mail | index | archive | help
At 07:34 AM 2/9/97 +1100, Bruce Evans wrote:
>>The suid capability of dump is only used for remote backups.
>>
>>dump have been known for security holes in the past, and is not a user
>>level program. I propose a change of default mode and owner for this
>>program to
>>-r-sr-x--- root:operator /sbin/dump
>
>It should be at least -r-sr-xr--.
>
>>which will disallow anybody not in the operator group from making backups
>>using dump (which is not too bad a thing, as only members of wheel can
>>access the harddisks directly, which is needed to be able to use dump
>>anyway), and only leave dump vulnerable to attacks from an operator :)
>
>Don't forget device independence. If you somehow have a ufs file system
>image in a file, then dump will work on it, and dump/restore is one way
>to list its contents. If dump is world readable, then anyone can run a
>nonsetuid copy of it to do this, but it's annoying to have to copy it.
How about saying that remote backups must be done by root or by explictly
setting dump/restore setuid until we can find the time to make dump/restore
pipe to rsh? Removing setuid would let everybody execute it for normal
operation, and doesn't throw too many wrenches in the machinery for a
sysadmin - after all,
# chmod 6555 /sbin/dump /sbin/restore
isn't too major an operation if one really really want to run them to setuid.
>Hard disks are not accessible by members of group wheel. However, they
>are readable by group operator.
Most of mine were - probably an operating error on my part.
>Why do dump and restore currently have group tty?
dump plays the wall(1) game. Command entry from the man page:
n Whenever dump requires operator attention, notify all operators in
the group ``operator'' by means similar to a wall(1).
which is actually incorrect - it notifies all operators not on a dialup.
It looks like the code can be changed to run write(1) instead of being
setgid tty fairly easily. (Peter Wemm's suggestion)
As far as I can tell, there is no reason for restore to be setgid tty - the
only reference to ttys there is is in the source is to _PATH_TTY
(/dev/tty), and that isn't owned by group tty anyway. Probably the
permission was carried over from dump.
Eivind Eklund perhaps@yes.no http://maybe.yes.no/perhaps/
eivind@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970209094538.00bb6cd0>