secure remote backups
Tue, 27 Nov 2001 13:45:22 -0800
Content-Type: text/plain; charset=us-ascii
>>>>> "MW" == mike wolman <email@example.com>
>>>>> wrote the following on Tue, 27 Nov 2001 17:35:42 +0000 (GMT)
MW> Hi Jason, I am playing with a suid wrapper for rdiff, then
MW> sshing in as a backup user and running the wrapper script, as
MW> linux refuses to run scripts as suid, i am playing doing it with
MW> very limited c knowledge, and with a pile of other stuff
MW> mounting in the inbox i have not had a chance to get it setup.
I was discussing something similar to this with a user. He wanted
something like a --restrict-to commandline parameter or environment
variable so that rdiff-backup could run more safely suid root.
Suppose machine A is backing up to machine B. He, like you,
didn't want machine A logging into machine B as root all the time. If
someone compromised machine A, they would get root on machine B
immediately by, for instance, mirroring the /etc/passwd file or
whatever. So he wanted machine A to log into machine B as a user, but
then switch to root in a mode that only allowed for the writing to
certain directories. With a --restrict-to option, he could make a
suid script that would run rdiff-backup with this option, guaranteeing
that important system files could not be overwritten but still
allowing rdiff-backup to change ownership (which requires root).
This sounds like a good idea to me, but there seems to be some
technical problems. The server could check each pathname on each
read/write request to make sure that it started with the appropriate
directory, but a user could get around this will symlinks. As in, he
symlinks /safe/directory/foo to /etc/passwd, and then gets
rdiff-backup to read /safe/directory/foo, thus reading /etc/passwd.
rdiff-backup could stat each file immediately before doing any
reading/writing to make sure it isn't a symlink, but this seems like a
lot of overhead, and even then a user could create the symlink after
the statting but before the reading.
So to sum it up, this seems like a useful idea, but I don't see
any way of actually implementing it correctly. Anyone have thoughts
on the matter?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000
-----END PGP SIGNATURE-----