On Sun, Apr 17, 2005 at 05:13:44PM +0200, Bastian Blank wrote: > On Sun, Apr 17, 2005 at 03:46:35PM +0200, Lionel Elie Mamane wrote:
>> For one, it forces backup programs to run as root, instead of >> another user ID member of "disk". This makes stepping up from a >> compromise of the backup server to a full root compromise of the >> backuped machines far easier, when using a partition-based network >> backup system. > Write access to the devices is mostly equivalent to root. Better use > CAP_DAC_READ. This may be better in some abstract sense, but in a practical sense, with capabilities as implemented in Linux, it needs modifying all backup programs (or running them as root), because if they don't do special linux-specific things via prctl(), they'll lose any capability you may have bestowed on them when they setuid() to a non-privileged user. Besides, for partition-level backup, arguably regular rights to read the device are better (because more fine-grained) than blanket rights to real all. (Although theoretically, reading the device means you can read anything, it makes it _harder_ for the attacker. That's a always something gained.) That's no _practical_ solution, _right_ _now_. -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
