Fwd: Re: need help with an rsync patch
Sherin A
sherinmon at gmail.com
Tue Aug 13 10:13:06 MDT 2013
On Tuesday 13 August 2013 09:07 PM, Justin T Pryzby wrote:
> On Tue, Aug 13, 2013 at 08:44:08PM +0530, Sherin A wrote:
>> On Tuesday 13 August 2013 05:50 PM, Paul Slootman wrote:
>>> On Tue 13 Aug 2013, Matthias Schniedermeyer wrote:
>>>> BUT there is no direct vulnerability in that, only processes after that
>>>> (like backup/rsync) can make a vulnerability out of it.
>>> ... which is what I already wrote.
>> So the solutions is to upgrade the kernel to 3.6 in all Operating
>> systems installations. ? If it is one server , then it was a
>> solution. Is it possible to add a flag to exclude hard inks of
>> regular file instead of waiting the OS vendors for updating there
>> kernel to 3.6
> Matthias already pointed out that the changed default behavior in
> new kernel is meant to help users avoid shooting themselves in the
> foot, but doesn't implement added security. In particular, it doesn't
> fix pre-existing hardlinks created by users who can't read the file;
> indeed, it can't, since there is no place where the "creator" of the
> hardlink is stored.
>
> You need to realize that every normal file is a hardlink. /etc/shadow
> is a hardlink, as is $HOME/my_shadow. There is no "original" or "more
> important" link to the file, they are all equal in the eyes of the
> kernel.
>
> Why are your files being restored with different access permissions
> than the original file? The UID/GID/mode should be restored to the
> same values as in the backup. A users hardlink of /etc/shadow will be
> restored as root/root, 00640, same as the hardlink before backup, and
> (necessarily) the same as the original file (remember, every link
> points to an inode, which is where the metadata is stored:
> UID/GID/perms/timestamps).
>
> Justin
If linux user foo , with home /home/foo , what ownership we need to
give the files under his home folder , it must be "foo" and not root.
If he created a HL in /home/foo/shadow , it will be root ownership .
After that the rsync take backups , files will be a regular file with
one link,
root at cptest [~]# stat /home/dom2inho/shadow
File: `/home/dom2inho/shadow'
Size: 1344 Blocks: 8 IO Block: 4096 regular file
Device: f2e3h/62179d Inode: 41817204 Links: 2 - ========> Two
links ,
Access: (0200/--w-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2013-08-13 04:52:16.000000000 -0400
Modify: 2013-08-13 04:52:15.000000000 -0400
After Rsync it will be as follows,
root at cptest [~]# stat /backup/dom2inho/shadow
File: `/backup/dom2inho/shadow'
Size: 1344 Blocks: 8 IO Block: 4096 regular file
Device: f2e3h/62179d Inode: 27526922 Links: 1 ===========> regular
file with one link
Access: (0200/--w-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2013-08-13 12:04:33.000000000 -0400
Modify: 2013-08-13 04:52:15.000000000 -0400
Change: 2013-08-13 12:04:33.000000000 -0400
root at cptest [~]# find /home/dom2inho/ -type f -links +1 => He have hard
link in home
/home/dom2inho/shadow
root at cptest [~]# find /backup/dom2inho -type f -links +1 => There is
no hard link in backp
root at cptest [~]#
--
--------------------------------------
Regards
Sherin A
http://www.sherin.co.in/
More information about the rsync
mailing list