rdiff-backup-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [rdiff-backup-users] "warning security violation" on fs_abilities.re


From: Andrew Ferguson
Subject: Re: [rdiff-backup-users] "warning security violation" on fs_abilities.restore_set_globals when trying to restore [ctd]
Date: Fri, 25 Jul 2008 11:20:34 -0400


On Jul 25, 2008, at 10:15 AM, Klaas Gadeyne wrote:

On Fri, 25 Jul 2008, Andrew Ferguson wrote:
On Jul 25, 2008, at 8:02 AM, Klaas Gadeyne wrote:
it seems like I have the same problem as described previously on this mailinglist <http://www.mail-archive.com/address@hidden/msg02352.html >
To be short: - backups work fine
- restores don't
[...]
I'm trying this on 2 Debian stable systems (using the debian packages, that is). I tried with *both* the official stable package and the one in backports, so the issue seems to be unrelated to rdiff version 1.1.5.
sh-3.1$ ls -l /var/cache/apt/archives/rdiff-backup_1.1.*
-rw-r--r-- 1 root root 186224 2008-03-20 09:32 /var/cache/apt/ archives/rdiff-backup_1.1.15-2~bpo40+1_amd64.deb -rw-r--r-- 1 root root 175064 2006-12-27 23:02 /var/cache/apt/ archives/rdiff-backup_1.1.5-4_amd64.deb Unfortunately, it seems that no solution was provided (at least not *on* list [*]). Any suggestions to further debug this issue?

That issue was never resolved for two reasons: I cannot reproduce this problem and the original poster never returned my last (off list) message.

For the original poster, it became apparent that the restore could work the other way -- that is, by logging on to 'pc00136-backup', the user could do 'rdiff-backup -r now backup-host::/test-backup / tmp/testrestore'.

I have again, just now, tested restoring to a remote host (like you want to do) and it went fine using the latest rdiff-backup. Personally, I suspect that there is some sort of misconfiguration (at your end, or Debian's) due to the multiple versions of rdiff- backup, paths, etc.

I guess it will be at my end :-( (unless no user of the debian package has ever tried to restore so far, or they were too lazy to submit a bug report :-)

To start debugging this issue yourself, you will need to:

1) Make sure there is only one copy of the rdiff-backup files on your remote system. These files live inside the Python site- packages directory. A simple `locate librsync.py` should point you in the right direction.

address@hidden:/ #
 locate librsync.py
/usr/share/python-support/rdiff-backup/rdiff_backup/librsync.py
/var/lib/python-support/python2.4/rdiff_backup/librsync.py
/var/lib/python-support/python2.4/rdiff_backup/librsync.pyc
address@hidden:/ #
 ll /usr/share/python-support/rdiff-backup/rdiff_backup/librsync.py
-rw-r--r-- 1 root root 6741 2008-01-03 16:36 /usr/share/python- support/rdiff-backup/rdiff_backup/librsync.py
address@hidden:/ #
 ll /var/lib/python-support/python2.4/rdiff_backup/librsync.py
lrwxrwxrwx 1 root root 63 2008-07-25 11:38 /var/lib/python-support/ python2.4/rdiff_backup/librsync.py -> /usr/share/python-support/ rdiff-backup/rdiff_backup/librsync.py

So this condition seems to be fulfilled.

2) Check the follow lines inside rdiff-backup's files. If you want, you can simply send me the files as attachments and I will check them. - In rdiff_backup/Security.py, there should be a line which has "fs_abilities.restore_set_globals" as part of an 'if sec_level == "all": ' test.

There is

       if sec_level == "all":
l.extend(["os.mkdir", "os.chown", "os.lchown", "os.rename", "os.unlink", "os.remove", "os.chmod", "os.makedirs",
                                 "backup.DestinationStruct.patch",
"restore.TargetStruct.get_initial_iter",
                                 "restore.TargetStruct.patch",
"restore.TargetStruct.set_target_select",
                                 "fs_abilities.restore_set_globals",
                                 "fs_abilities.single_set_globals",
"regress.Regress", "manage.delete_earlier_than_local"])

- In rdiff_backup/Globals.py, there should be a line which has 'security_level = "all"'

OK too.

address@hidden:/ #
 locate Globals.py
/usr/share/python-support/rdiff-backup/rdiff_backup/Globals.py
/var/lib/python-support/python2.4/rdiff_backup/Globals.py
/var/lib/python-support/python2.4/rdiff_backup/Globals.pyc
address@hidden:/ #
 ll /var/lib/python-support/python2.4/rdiff_backup/Globals.py
lrwxrwxrwx 1 root root 62 2008-07-25 11:38 /var/lib/python-support/ python2.4/rdiff_backup/Globals.py -> /usr/share/python-support/rdiff- backup/rdiff_backup/Globals.py
address@hidden:/ #
grep security_level /var/lib/python-support/python2.4/rdiff_backup/ Globals.py
# security_level has 4 values and controls which requests from remote
security_level = "all"

Lastly, if indeed those are the only copies of Security.py and Globals.py on your system, and those lines are set as I indicated, then you should run rdiff-backup with "-v9" (not "-v7") to get the highest level of debugging. Then, e-mail the *complete* output to the mailing list. Please do not snip any part of the debug messages. Although you may not understand the Python stuff, folks on this mailing list do. :-)

sh-3.1$ rdiff-backup -v9 --restore-as-of now test-backup pc00136- backup::/tmp/testrestore
Fri Jul 25 16:04:46 2008  Using rdiff-backup version 1.1.15
Fri Jul 25 16:04:46 2008 Using mirror root directory /var/backups/ test-backup Fri Jul 25 16:04:46 2008 Executing ssh -C pc00136-backup rdiff- backup --server Fri Jul 25 16:04:46 2008 Client sending (0): ConnectionRequest: Globals.get with 1 arguments
Fri Jul 25 16:04:46 2008  Client sending (0): 'version'
Fri Jul 25 16:04:46 2008  Client received (0): '1.1.15'
Fri Jul 25 16:04:46 2008  Registering connection 1
Fri Jul 25 16:04:46 2008 Client sending (0): ConnectionRequest: SetConnections.init_connection_remote with 1 arguments
Fri Jul 25 16:04:46 2008  Client sending (0): 1
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: log.Log.setverbosity with 1 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): 9
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: log.Log.setterm_verbosity with 1 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): 9
Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: log.Log.setterm_verbosity with 1 arguments
Fri Jul 25 16:04:47 2008  Server received (0): 9
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: Globals.set with 2 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): 'rbdir'
Fri Jul 25 16:04:47 2008 Client sending (0): Path: /var/backups/ test-backup/rdiff-backup-data
Index: ()
Data: {'uid': 34, 'perms': 448, 'type': 'dir', 'gname': 'backup', 'ctime': 1216984511, 'devloc': 2049L, 'uname': 'backup', 'nlink': 3, 'gid': 34, 'mtime': 1216984511, 'atime': 1216993129, 'inode': 295079, 'size': 4096} Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: Globals.set with 2 arguments
Fri Jul 25 16:04:47 2008  Server received (0): 'rbdir'
Fri Jul 25 16:04:47 2008 Server received (0): Path: /var/backups/ test-backup/rdiff-backup-data
Index: ()
Data: {'size': 4096, 'ctime': 1216984511, 'perms': 448, 'inode': 295079, 'mtime': 1216984511, 'devloc': 2049L, 'uname': 'backup', 'nlink': 3, 'gname': 'backup', 'gid': 34, 'atime': 1216993129, 'type': 'dir', 'uid': 34}
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: C.make_file_dict with 1 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): '/tmp/testrestore'
Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: C.make_file_dict with 1 arguments
Fri Jul 25 16:04:47 2008  Server received (0): '/tmp/testrestore'
Fri Jul 25 16:04:47 2008  Server sending (0): {'type': None}
Fri Jul 25 16:04:47 2008  Client received (0): {'type': None}
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: C.make_file_dict with 1 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): '/tmp/testrestore'
Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: C.make_file_dict with 1 arguments
Fri Jul 25 16:04:47 2008  Server received (0): '/tmp/testrestore'
Fri Jul 25 16:04:47 2008  Server sending (0): {'type': None}
Fri Jul 25 16:04:47 2008  Client received (0): {'type': None}
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: Time.setcurtime_local with 1 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): 1216994687
Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: Time.setcurtime_local with 1 arguments
Fri Jul 25 16:04:47 2008  Server received (0): 1216994687
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: Globals.set with 2 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): 'client_conn'
Fri Jul 25 16:04:47 2008  Client sending (0): LocalConnection
Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: Globals.set with 2 arguments
Fri Jul 25 16:04:47 2008  Server received (0): 'client_conn'
Fri Jul 25 16:04:47 2008  Server received (0): PipeConnection 0
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: Globals.postset_regexp_local with 3 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): 'no_compression_regexp'
Fri Jul 25 16:04:47 2008 Client sending (0): '(?i).*\\.(gz|z|bz|bz2| tgz|zip|rpm|deb|jpg|jpeg|gif|png|jp2|mp3|ogg|avi|wmv|mpeg|mpg|rm|mov| flac|shn|pgp|gpg|rz|lzh|zoo|lharc|rar|arj|asc)$'
Fri Jul 25 16:04:47 2008  Client sending (0): None
Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: Globals.postset_regexp_local with 3 arguments
Fri Jul 25 16:04:47 2008  Server received (0): 'no_compression_regexp'
Fri Jul 25 16:04:47 2008 Server received (0): '(?i).*\\.(gz|z|bz| bz2|tgz|zip|rpm|deb|jpg|jpeg|gif|png|jp2|mp3|ogg|avi|wmv|mpeg|mpg|rm| mov|flac|shn|pgp|gpg|rz|lzh|zoo|lharc|rar|arj|asc)$'
Fri Jul 25 16:04:47 2008  Server received (0): None
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: robust.install_signal_handlers with 0 arguments Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: robust.install_signal_handlers with 0 arguments
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: Hardlink.initialize_dictionaries with 0 arguments Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: Hardlink.initialize_dictionaries with 0 arguments
Fri Jul 25 16:04:47 2008  Server sending (0): None
Fri Jul 25 16:04:47 2008  Client received (0): None
Fri Jul 25 16:04:47 2008 Client sending (0): ConnectionRequest: fs_abilities.restore_set_globals with 1 arguments
Fri Jul 25 16:04:47 2008  Client sending (0): Path: /tmp/testrestore
Index: ()
Data: {'type': None}
Fri Jul 25 16:04:47 2008 Server received (0): ConnectionRequest: fs_abilities.restore_set_globals with 1 arguments
Fri Jul 25 16:04:47 2008  Server received (0): Path: /tmp/testrestore
Index: ()
Data: {'type': None}
Fri Jul 25 16:04:47 2008  Sending back exception
Warning Security Violation!
Bad request for function: fs_abilities.restore_set_globals
with arguments: [<rdiff_backup.rpath.RPath instance at 0xb78e222c>]
of type rdiff_backup.Security.Violation:
File "/var/lib/python-support/python2.4/rdiff_backup/ connection.py", line 333, in answer_request
   Security.vet_request(request, argument_list)
File "/var/lib/python-support/python2.4/rdiff_backup/Security.py", line 221, in vet_request
   raise_violation(request, arglist)
File "/var/lib/python-support/python2.4/rdiff_backup/Security.py", line 203, in raise_violation
   raise Violation("\nWarning Security Violation!\n"


This doesn't make any sense. Everything seems correct. :-(

You could try deleting all of the *.pyc files in /var/lib/python- support/python2.4/rdiff_backup/ ... those files are just temporary compiled Python and could potentially cause problem if they are out of sync. Python will regenerate them automatically from the source.

Also, what version of Python is running on the server? (pc00136) And did you do the --restrict-read-only options that Dean suggests in his HOWTO?

I guess I will have to setup Debian to check this. I just tried pushing a restore with 1.1.15 with Centos client and Ubuntu server with no trouble.


Andrew




reply via email to

[Prev in Thread] Current Thread [Next in Thread]