strip setuid/setgid bits on backup (was Re: small security-related rsync extension)
Dan Stromberg
strombrg at nis.acs.uci.edu
Thu Jul 11 18:58:21 EST 2002
On Tue, Jul 09, 2002 at 02:36:22PM -0700, jw schultz wrote:
> On Tue, Jul 09, 2002 at 11:03:25AM -0700, Dan Stromberg wrote:
> > On Mon, Jul 08, 2002 at 02:04:57PM -0700, jw schultz wrote:
> > > The default behavior should not modify files. The general
> > > purpose is to have the copies be the same as the original.
> > > A general --chmod or --pmask option might be acceptable for
> > > modifying the permissions flags but would need to be applied
> > > in generator as well as reciever.
> >
> > We're not modifying the content of files; we're eliminating security
> > holes. Surely folks see the sense of this?
>
> Then don't use the --perms option.
This might work. Will it still keep all my rwx bits intact?
> > Important things shouldn't be hard to do (you shouldn't have to parse a
> > log and write a shell script to do what should be default behavior),
> > just as dumb things shouldn't be easy to do (EG, clicking on attachments
> > in lookout).
> >
> > > For almost any case like this the way to deal with it is in
> > > the mount options. For -s to be active and ownership
> > > preserved root has to be doing the transfer anyway. Try
> > > mounting the filesystem -o noexec,nodev That way the backup
> > > will have all the same permissions bits but there need be no
> > > worry about users abusing it if given access.
> >
> > If you had ever seen something like the huge software library we give to
> > our clients, you wouldn't say this. We simply must have set[ug]id, but
> > only for secure binaries. Having an insecure setuid root ~ file is a
> > vastly larger problem than not being able to run some ~ file without
> > minimal sysadmin intervention first.
>
> I don't get what you are doing. Where did these insecure
> suid root files come from in the first place?
Have you ever read bugtraq on a regular basis? They're coming out of
the woodwork.
--
Dan Stromberg UCI/NACS/DCS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/rsync/attachments/20020711/37996aa6/attachment.bin
More information about the rsync
mailing list