On Tuesday 13 August 2013 08:56 PM, Matthias Schniedermeyer wrote:
On 13.08.2013 20:44, Sherin A wrote:
On Tuesday 13 August 2013 05:50 PM, Paul Slootman wrote:
On Tue 13 Aug 2013, Matthias Schniedermeyer wrote:
BUT there is no direct vulnerability in that, only processes after that
(like backup/rsync) can make a vulnerability out of it.
... which is what I already wrote.
Paul
So the solutions is to upgrade the kernel to 3.6 in all Operating
systems installations. ? If it is one server , then it was a
solution. Is it possible to add a flag to exclude hard inks of
regular file instead of waiting the OS vendors for updating there
kernel to 3.6
The other solution, if possible, is using separate
root/data(/whatever)-fileystems.
As hardlinks only work inside a single filesystem, if you can
separate different things you significantly reduce the problematic
cases.
The described "problem" with /etc/shadow can be prevented by that, if
the file isn't on the same filesytem, it can't be hardlinked.
The advantage of this solution is that it workes for (all) older
kernels.
=== Bum again the third post =======
Thanks for your reply . But think about the real world users. There is
not always necessary the /home will be in separate disk partition or
/tmp , /var/tmp , /usr/tmp. Think about an openvz vps or disk with
everything on / (most of the cloud servers) . Rsync is using in a lot
of production servers as a better tool for file backups. As in the case
of a hosting server , we can't always trust all hosting users in a
single server. Also just ignore the shadow and let us say there are
two user on /home/foo and /home/fun and the user fun created a hardlink
to /hom/foo/joomla/configuration.php , which contains database
information of user foo's joomla site . May be this user created
this type hardlinks with all the directories and files inside /home .
So simply requesting a restore will revert the files into his readable
form and he can wipe out every thing
Thank you Matthias for looking into it, awaiting for further updates.
--
--------------------------------------
Regards
Sherin A
http://www.sherin.co.in/
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
