On Tuesday 13 August 2013 09:07 PM, Justin T Pryzby wrote:
On Tue, Aug 13, 2013 at 08:44:08PM +0530, Sherin A wrote:
On Tuesday 13 August 2013 05:50 PM, Paul Slootman wrote:
On Tue 13 Aug 2013, Matthias Schniedermeyer wrote:
BUT there is no direct vulnerability in that, only processes after that
(like backup/rsync) can make a vulnerability out of it.
... which is what I already wrote.
So the solutions is to upgrade the kernel to 3.6 in all Operating
systems installations. ? If it is one server , then it was a
solution. Is it possible to add a flag to exclude hard inks of
regular file instead of waiting the OS vendors for updating there
kernel to 3.6
Matthias already pointed out that the changed default behavior in
new kernel is meant to help users avoid shooting themselves in the
foot, but doesn't implement added security. In particular, it doesn't
fix pre-existing hardlinks created by users who can't read the file;
indeed, it can't, since there is no place where the "creator" of the
hardlink is stored.
You need to realize that every normal file is a hardlink. /etc/shadow
is a hardlink, as is $HOME/my_shadow. There is no "original" or "more
important" link to the file, they are all equal in the eyes of the
kernel.
Why are your files being restored with different access permissions
than the original file? The UID/GID/mode should be restored to the
same values as in the backup. A users hardlink of /etc/shadow will be
restored as root/root, 00640, same as the hardlink before backup, and
(necessarily) the same as the original file (remember, every link
points to an inode, which is where the metadata is stored:
UID/GID/perms/timestamps).
Justin
If linux user foo , with home /home/foo , what ownership we need to
give the files under his home folder , it must be "foo" and not root.
If he created a HL in /home/foo/shadow , it will be root ownership .
After that the rsync take backups , files will be a regular file with
one link,
root@cptest [~]# stat /home/dom2inho/shadow
File: `/home/dom2inho/shadow'
Size: 1344 Blocks: 8 IO Block: 4096 regular file
Device: f2e3h/62179d Inode: 41817204 Links: 2 - ========> Two
links ,
Access: (0200/--w-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2013-08-13 04:52:16.000000000 -0400
Modify: 2013-08-13 04:52:15.000000000 -0400
After Rsync it will be as follows,
root@cptest [~]# stat /backup/dom2inho/shadow
File: `/backup/dom2inho/shadow'
Size: 1344 Blocks: 8 IO Block: 4096 regular file
Device: f2e3h/62179d Inode: 27526922 Links: 1 ===========> regular
file with one link
Access: (0200/--w-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2013-08-13 12:04:33.000000000 -0400
Modify: 2013-08-13 04:52:15.000000000 -0400
Change: 2013-08-13 12:04:33.000000000 -0400
root@cptest [~]# find /home/dom2inho/ -type f -links +1 => He have hard
link in home
/home/dom2inho/shadow
root@cptest [~]# find /backup/dom2inho -type f -links +1 => There is
no hard link in backp
root@cptest [~]#
--
--------------------------------------
Regards
Sherin A
http://www.sherin.co.in/
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
