From owner-freebsd-questions  Fri Aug 31 20: 6:20 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-94-248-46.mmcable.com [24.94.248.46])
	by hub.freebsd.org (Postfix) with SMTP id EE9FC37B406
	for <questions@freebsd.org>; Fri, 31 Aug 2001 20:06:17 -0700 (PDT)
Received: (qmail 80121 invoked by uid 100); 1 Sep 2001 03:06:17 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15248.20648.967017.227173@guru.mired.org>
Date: Fri, 31 Aug 2001 22:06:16 -0500
To: mark tinguely <tinguely@web.cs.ndsu.nodak.edu>
Cc: questions@freebsd.org
Subject: RE: Remote dumps
In-Reply-To: <41322062@toto.iv>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

mark tinguely <tinguely@web.cs.ndsu.nodak.edu> types:
> rdump only requires root access to open the restricted network port.
> setuid the rdump application and using a non-privileged user will
> close some of the root to root access sharing. If the setuid opens
> too large of a concern, a modification of the rdump code to lower
> the privilege after the socket has been opened should close any holes.

You're only closing access from gottape to backme. But the only reason
that gottape has to have access to backme is because you're starting
the backup from gottape. If you start it from backme, the problem
doesn't exist. On the other hand, backme implicitly trusts gottape, as
all it's backups - and presumably restores - go through gottape.

Going the other way, rdump uses rcmd to launch rmt on the gottape. As
you indicate, this happens at elevated privilege on backme, and
results in rmt running at elevated privilege on gottape. Since rcmd
can be used to launch an arbitrary command on gottape from backme,
root on backme has full access to gottape. You can do the same kind of
uid and setuid stuff with rmt on gottape, and fix your backup script
to use backup@gottape:/dev/nrsa0.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message