Hello,
Russell Howe wrote:
Arno Lehmann wrote:
Thinking about it some more I'd suggest to implement some basic security
features before passing any script output to baculas working parts.
- paths without leading / (or drive letter, for windows) should be
considered an error,
- \0 should be an error,
- scripts should have to be owned by root or the user bacula runs as and
must have access rights 0700. For example.
None of these would protect against a directory name which ends in \n
Right, but it should prevent the security issues with directories
containing \n. At least most of them.
If a user creates a file /home/user/exploit/try\netc/shadow has this
backed up (listing the directory or file via script output, of course)
the file etc/shadow would be backed up.
The user later asks to restore (or even manages this himself -
restricted console might seduce admins to allow this) the contents of
/home/user/exploit\ntry/ to a different location, he has his personal
copy of /etc/shadow.
Admittedly, there need to be some more coincidences:
the FD runs in /
nobody notices the funny directory name
preparing for restore is done by the user or someone stupid or
overworked or who doesn't know unix file name conventions...
the access rights for shadow have to allow the user to access that file.
Stick bit, perhaps? I don't know.
And other considerations.
Anyway.
Although this is an unlikely scenario, it could be prevented.
If, during backup, the file name etc/shadow is immediately rejected
nothing of this could happen that easily.
Thinking about directories ending with \n - in the few minutes I thought
about this I couldn't find a solution for this. Except, and that's the
reason for my other suggestions, encouraging the backup admins to really
take care for their filesets - like making sure that file names are
quoted, when necessary.
Or, to sum this up: Do what can be safely done to make software robust
against this sort of exploits, and document the known gaps as well as
the methods your software works, so the one using it knows what to
expect, and what to avoid.
Arno
--
IT-Service Lehmann [EMAIL PROTECTED]
Arno Lehmann http://www.its-lehmann.de
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
