On Mon, 1 Nov 1999, Peter Walker wrote: > I think it is fair to say that there is a problem with the amanda package > as it is shipped on the FreeBSD 3.3 CD, rather than with the amanda backup > system itself. It would be interesting to find out if any other "standard" > os distributions have similar problems. > > Personally I would be very wary of entrusting the security of any of our > systems to somebody else's packaging of a software package that by its > nature requires unrestricted read access to all of my disks. On the other hand, if you don't trust your OS with the contents of your disk, you're probably not going to install the OS. There is an equally strong argument that you should trust your OS vendor to adapt generally available packages for the local OS environment--often software developers write their software with a particular security architecture in mind (say, Linux or Solaris) which isn't quite the same as the local system (say, OpenBSD or FreeBSD). Installing SSH without vendor patches can often be a problem, as pointed out with the recent chflags-related bugs (where the SSH authors assumed that certain operations would always succeed). OS adaptation places some of the responsibility for security verification on the OS vendor or package developer, which seems appropriate, given that the OS vendor probably understands the OS best. That said, it's probably also best if the OS vendor submits patches back to the software developer, and that the software developer incorporates the patches. There have been a number of cases where the FreeBSD community has failed to submit patches on software back to the developer, so the developer never knew that these changes were required on FreeBSD. There have also been numerous cases where the changes *have* been submitted back, but have been ignored by the vendor. I don't know that Amanda falls into either case, but it is something to consider when judging the merit of even having a OS-specific package system :-). It should also be pointed out that the symlink bug described in the original post seems to be a bug in Amanda that is not platform-specific -- I haven't seen any further comment on that, only on the package installation. Has anyone verified that the amanda.debug file is created in such a way that a) it has a predictable name, and b) it follows symlinks? Really, it should probably go in /var/run (or equiv directory on whatever OS), should be created using O_CREAT and O_EXCL, or should be created using mktemp. Probably the first option is best. Robert N M Watson robertat_private http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:29 PDT