Re: [rdiff-backup-users] SECURITY: Not all file ops accessed via vetted RPath objects? Also a path prefixing patch

[Ben Escoto]

>>>>> Charles Duffy <address@hidden>
>>>>> wrote the following on Wed, 17 Aug 2005 01:54:18 -0500

> On the server:
>   rdiff-backup --server --restrict "$DATAPATH" --force-path-prefix "$DATAPATH"
...

Thanks for the report, I can see the bug too (I'm not sure the mkdir
got through, since it isn't on the list, but functions like
C.make_file_dict and os.listdir get through even if they're not in the
--restrict dir).  I listed it as bug 14209 on savannah.

> > What's the problem with having thousands of users?  It seems that
> > would be the safest way.  Otherwise, why not write a script that
> > checks the arguments to rdiff-backup, instead of patching
> > rdiff-backup?
> 
> - Checking the arguments to rdiff-backup:
>   Would you do this checking on the server or the client? Remember, I
> don't trust the client (which may have been subverted to try to retrieve
> another machine's backups), so it needs to be done on the server. Does
> the server have a nonspoofable way to check the client's command-line
> arguments without patching?

Well I don't really understand your setup yet, but it seems any way
you do it, the client will have to authenticate itself to the server
somehow.  The script can just check these credentials in the same way
your patched rdiff-backup would.

> - Extra overhead/complexity from SSH
>   I brought this concern up earlier, and it hasn't been answered. Why
> bother with host keys, RSA authentication, and (unless disabled)
> encryption overhead when there's already a VPN in place providing a
> guarantee that the hosts are who they say they are?

You need some way of setting up a pipe from one server to the other.
You could use ssh without encryption, or rsh, or whatever way you were
going to use before (netcat?).  Just make sure rdiff-backup gets run
with the right uid on the server.


-- 
Ben Escoto

pgpwCKUA91I74.pgp
Description: PGP signature