Date: Fri, 31 Aug 2001 22:06:16 -0500 From: Mike Meyer <mwm@mired.org> To: mark tinguely <tinguely@web.cs.ndsu.nodak.edu> Cc: questions@freebsd.org Subject: RE: Remote dumps Message-ID: <15248.20648.967017.227173@guru.mired.org> In-Reply-To: <41322062@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
mark tinguely <tinguely@web.cs.ndsu.nodak.edu> types: > rdump only requires root access to open the restricted network port. > setuid the rdump application and using a non-privileged user will > close some of the root to root access sharing. If the setuid opens > too large of a concern, a modification of the rdump code to lower > the privilege after the socket has been opened should close any holes. You're only closing access from gottape to backme. But the only reason that gottape has to have access to backme is because you're starting the backup from gottape. If you start it from backme, the problem doesn't exist. On the other hand, backme implicitly trusts gottape, as all it's backups - and presumably restores - go through gottape. Going the other way, rdump uses rcmd to launch rmt on the gottape. As you indicate, this happens at elevated privilege on backme, and results in rmt running at elevated privilege on gottape. Since rcmd can be used to launch an arbitrary command on gottape from backme, root on backme has full access to gottape. You can do the same kind of uid and setuid stuff with rmt on gottape, and fix your backup script to use backup@gottape:/dev/nrsa0. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15248.20648.967017.227173>