The 'recover' command in Solstice Backup (Sun's relabeled version of Legato Networker) on a Unix machine authorized to perform restore operations from the backup server can be used to by a normal user to restore any file accessible to the machine in a readable-to-them state (although it cannot be used to overwrite system files). This can be used to get your own copy of /etc/shadow for password cracking purposes, or simply to read other people's confidential files. We have been told that there is no way to restrict a machine so that it can perform backups but not recovers. (My group doesn't run the server, just some client machines.) Basic problem: the 'recover' command is an ordinary unprivileged program. Although it attempts to perform permission checking, it is trivial to fool it into thinking it is running as any arbitrary user, including root, by using such methods as a LD_PRELOAD'd library that overrides appropriate functions. This has obvious implications for the server <-> client protocol. Version information: our server is running Solstice Backup 5.1 with Sun patch 106408-5 (11Aug1999 patch) which is apparently equivalent to Legato Networker.5.1.Build.264. - cks
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:32 PDT