Fwd: Re: need help with an rsync patch

Sherin A sherinmon at gmail.com
Tue Aug 13 10:13:06 MDT 2013 

On Tuesday 13 August 2013 09:07 PM, Justin T Pryzby wrote:
> On Tue, Aug 13, 2013 at 08:44:08PM +0530, Sherin A wrote:
>> On Tuesday 13 August 2013 05:50 PM, Paul Slootman wrote:
>>> On Tue 13 Aug 2013, Matthias Schniedermeyer wrote:
>>>> BUT there is no direct vulnerability in that, only processes after that
>>>> (like backup/rsync) can make a vulnerability out of it.
>>> ... which is what I already wrote.
>> So the solutions is to upgrade the kernel to 3.6  in all Operating
>> systems installations. ?  If it is one server  , then it  was a
>> solution.  Is it possible to add a flag to exclude hard inks of
>> regular file instead of waiting the OS vendors for updating there
>> kernel  to 3.6
> Matthias already pointed out that the changed default behavior in
> new kernel is meant to help users avoid shooting themselves in the
> foot, but doesn't implement added security.  In particular, it doesn't
> fix pre-existing hardlinks created by users who can't read the file;
> indeed, it can't, since there is no place where the "creator" of the
> hardlink is stored.
>
> You need to realize that every normal file is a hardlink.  /etc/shadow
> is a hardlink, as is $HOME/my_shadow.  There is no "original" or "more
> important" link to the file, they are all equal in the eyes of the
> kernel.
>
> Why are your files being restored with different access permissions
> than the original file?  The UID/GID/mode should be restored to the
> same values as in the backup.  A users hardlink of /etc/shadow will be
> restored as root/root, 00640, same as the hardlink before backup, and
> (necessarily) the same as the original file (remember, every link
> points to an inode, which is where the metadata is stored:
> UID/GID/perms/timestamps).
>
> Justin
If  linux user  foo , with home /home/foo  , what  ownership we need to 
give the files under his home folder  , it must be "foo" and not root.

If he created a HL  in /home/foo/shadow  , it will be root ownership . 
After that the rsync take backups , files will be a regular  file with 
one link,
root at cptest [~]# stat /home/dom2inho/shadow
   File: `/home/dom2inho/shadow'
   Size: 1344          Blocks: 8          IO Block: 4096   regular file
Device: f2e3h/62179d    Inode: 41817204    Links: 2  - ========> Two 
links  ,
Access: (0200/--w-------)  Uid: (    0/    root)   Gid: (    0/ root)
Access: 2013-08-13 04:52:16.000000000 -0400
Modify: 2013-08-13 04:52:15.000000000 -0400

After Rsync it will be as follows,

root at cptest [~]# stat /backup/dom2inho/shadow
   File: `/backup/dom2inho/shadow'
   Size: 1344          Blocks: 8          IO Block: 4096   regular file
Device: f2e3h/62179d    Inode: 27526922    Links: 1 ===========> regular 
file with one link
Access: (0200/--w-------)  Uid: (    0/    root)   Gid: (    0/ root)
Access: 2013-08-13 12:04:33.000000000 -0400
Modify: 2013-08-13 04:52:15.000000000 -0400
Change: 2013-08-13 12:04:33.000000000 -0400

root at cptest [~]# find /home/dom2inho/ -type f -links  +1 => He have hard 
link in home
/home/dom2inho/shadow
root at cptest [~]# find /backup/dom2inho  -type f -links  +1 => There is 
no  hard link in backp
root at cptest [~]#


-- 
--------------------------------------
Regards
Sherin A
http://www.sherin.co.in/

More information about the rsync mailing list