Date: Mon, 27 Sep 1999 06:59:17 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: cjclark@home.com Cc: dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG Subject: Re: dump(8) Insecurity/Misconfiguration Message-ID: <199909271359.GAA53200@cwsys.cwsent.com> In-Reply-To: Your message of "Sat, 25 Sep 1999 22:03:23 EDT." <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com>,
"Crist J. Cl
ark" writes:
> Matthew Dillon wrote,
> I am used to only doing it as root since the manpage says,
>
> "Dump cannot do remote backups without being run as root, due to its secu
> -
> rity history. This will be fixed in a later version of FreeBSD. Present
> -
> ly, it works if you set it setuid (like it used to be), but this might
> constitute a security risk."
The reason for this is that dump(8) uses the rsh protocol to issue an
rmt(8) command on the remote host. The rsh protocol requires that the
remote rshd(8) open a connection to a privileged port being listened to
by the rsh client.
Running dump as root isn't as big a security problem than the firewall
issues that this rsh issue raises, not to mention cleartext. Due to
it's copyright restrictions use of the SSH protocol may not be too
wise, however various VPN solutions do help.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca
ITSD Cy.Schubert@gems8.gov.bc.ca
Province of BC
"e**(i*pi)+1=0"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909271359.GAA53200>