secure remote backups

Ben Escoto bescoto@stanford.edu
Tue, 27 Nov 2001 13:45:22 -0800


--==_Exmh_1147638080P
Content-Type: text/plain; charset=us-ascii

>>>>> "MW" == mike wolman <mike@nux.co.uk>
>>>>> wrote the following on Tue, 27 Nov 2001 17:35:42 +0000 (GMT)

  MW> Hi Jason, I am playing with a suid wrapper for rdiff, then
  MW> sshing in as a backup user and running the wrapper script, as
  MW> linux refuses to run scripts as suid, i am playing doing it with
  MW> very limited c knowledge, and with a pile of other stuff
  MW> mounting in the inbox i have not had a chance to get it setup.

I was discussing something similar to this with a user.  He wanted
something like a --restrict-to commandline parameter or environment
variable so that rdiff-backup could run more safely suid root.

    Suppose machine A is backing up to machine B.  He, like you,
didn't want machine A logging into machine B as root all the time.  If
someone compromised machine A, they would get root on machine B
immediately by, for instance, mirroring the /etc/passwd file or
whatever.  So he wanted machine A to log into machine B as a user, but
then switch to root in a mode that only allowed for the writing to
certain directories.  With a --restrict-to option, he could make a
suid script that would run rdiff-backup with this option, guaranteeing
that important system files could not be overwritten but still
allowing rdiff-backup to change ownership (which requires root).

    This sounds like a good idea to me, but there seems to be some
technical problems.  The server could check each pathname on each
read/write request to make sure that it started with the appropriate
directory, but a user could get around this will symlinks.  As in, he
symlinks /safe/directory/foo to /etc/passwd, and then gets
rdiff-backup to read /safe/directory/foo, thus reading /etc/passwd.
rdiff-backup could stat each file immediately before doing any
reading/writing to make sure it isn't a symlink, but this seems like a
lot of overhead, and even then a user could create the symlink after
the statting but before the reading.

    So to sum it up, this seems like a useful idea, but I don't see
any way of actually implementing it correctly.  Anyone have thoughts
on the matter?


--
Ben Escoto




--==_Exmh_1147638080P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Exmh version 2.2 06/23/2000

iD8DBQE8BAlu+owuOvknOnURAmKHAJ4uMHfnKquAP7S+xMS+A0GSvgQ8LACfR7vW
mswNyIIznShwSkbq4LgrPgY=
=UWMT
-----END PGP SIGNATURE-----

--==_Exmh_1147638080P--